version 1.6, 2003/06/03 02:56:06 |
version 1.7, 2004/05/31 18:42:58 |
|
|
.\" $OpenBSD$ |
.\" $OpenBSD$ |
.\" $NetBSD: bdes.1,v 1.1 1995/07/24 04:30:51 cgd Exp $ |
.\" $NetBSD: bdes.1,v 1.11 2003/08/07 11:13:11 agc Exp $ |
.\" |
.\" |
.\" Copyright (c) 1991, 1993 |
.\" Copyright (c) 1991, 1993 |
.\" The Regents of the University of California. All rights reserved. |
.\" The Regents of the University of California. All rights reserved. |
|
|
.\" |
.\" |
.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 |
.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 |
.\" |
.\" |
.TH BDES 1 "June 29, 1993" |
.Dd June 29, 1993 |
.UC 6 |
.Dt BDES 1 |
.SH NAME |
.Os |
bdes \- encrypt/decrypt using the Data Encryption Standard |
.Sh NAME |
.SH SYNOPSIS |
.Nm bdes |
.nf |
.Nd encrypt/decrypt using the Data Encryption Standard |
.ft B |
.Sh SYNOPSIS |
bdes [ \-abdp ] [ \-F N ] [ \-f N ] [ \-k key ] |
.Nm |
.ti +5 |
.Op Fl abdp |
[ \-m N ] [ \-o N ] [ \-v vector ] |
.Op Fl F Ar N |
.ft R |
.Op Fl f Ar N |
.fi |
.Op Fl k Ar key |
.SH DESCRIPTION |
.Op Fl m Ar N |
.I Bdes |
.Op Fl o Ar N |
|
.Op Fl v Ar vector |
|
.Sh DESCRIPTION |
|
.Nm |
implements all DES modes of operation described in FIPS PUB 81, |
implements all DES modes of operation described in FIPS PUB 81, |
including alternative cipher feedback mode and both authentication |
including alternative cipher feedback mode and both authentication |
modes. |
modes. |
.I Bdes |
.Nm |
reads from the standard input and writes to the standard output. |
reads from the standard input and writes to the standard output. |
By default, the input is encrypted using cipher block chaining mode. |
By default, the input is encrypted using cipher block chaining mode. |
Using the same key for encryption and decryption preserves plain text. |
Using the same key for encryption and decryption preserves plain text. |
.PP |
.Pp |
All modes but the electronic code book mode require an initialization |
All modes but the electronic code book mode require an initialization |
vector; if none is supplied, the zero vector is used. |
vector; if none is supplied, the zero vector is used. |
If no |
If no |
.I key |
.Ar key |
is specified on the command line, the user is prompted for one (see |
is specified on the command line, the user is prompted for one (see |
.IR getpass (3) |
.Xr getpass 3 |
for more details). |
for more details). |
.PP |
.Pp |
The options are as follows: |
The options are as follows: |
.TP |
.Bl -tag -width "-v vector" |
\-a |
.It Fl a |
The key and initialization vector strings are to be taken as ASCII, |
The key and initialization vector strings are to be taken as ASCII, |
suppressing the special interpretation given to leading ``0X'', ``0x'', |
suppressing the special interpretation given to leading |
``0B'', and ``0b'' characters. |
.Dq 0X , |
|
.Dq 0x , |
|
.Dq 0B |
|
and |
|
.Dq 0b |
|
characters. |
This flag applies to |
This flag applies to |
.I both |
.Em both |
the key and initialization vector. |
the key and initialization vector. |
.TP |
.It Fl b |
\-b |
|
Use electronic code book mode. |
Use electronic code book mode. |
.TP |
This is not recommended for messages |
\-d |
longer than 8 bytes, as patterns in the input will show through to the |
|
output. |
|
.It Fl d |
Decrypt the input. |
Decrypt the input. |
.TP |
.It Fl F Ar N |
\-F |
|
Use |
Use |
.IR N -bit |
.Ar N Ns -bit |
alternative cipher feedback mode. |
alternative cipher feedback mode. |
Currently |
Currently |
.I N |
.Ar N |
must be a multiple of 7 between 7 and 56 inclusive (this does not conform |
must be a multiple of 7 between 7 and 56 inclusive (this does not conform |
to the alternative CFB mode specification). |
to the alternative CFB mode specification). |
.TP |
.It Fl f Ar N |
\-f |
|
Use |
Use |
.IR N -bit |
.Ar N Ns -bit |
cipher feedback mode. |
cipher feedback mode. |
Currently |
Currently |
.I N |
.Ar N |
must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
to the standard CFB mode specification). |
to the standard CFB mode specification). |
.TP |
.It Fl k Ar key |
\-k |
|
Use |
Use |
.I key |
.Ar key |
as the cryptographic key. |
as the cryptographic key. |
.TP |
.It Fl m Ar N |
\-m |
|
Compute a message authentication code (MAC) of |
Compute a message authentication code (MAC) of |
.I N |
.Ar N |
bits on the input. |
bits on the input. |
The value of |
The value of |
.I N |
.Ar N |
must be between 1 and 64 inclusive; if |
must be between 1 and 64 inclusive; if |
.I N |
.Ar N |
is not a multiple of 8, enough 0 bits will be added to pad the MAC length |
is not a multiple of 8, enough 0 bits will be added to pad the MAC length |
to the nearest multiple of 8. |
to the nearest multiple of 8. |
Only the MAC is output. |
Only the MAC is output. |
MACs are only available in cipher block chaining mode or in cipher feedback |
MACs are only available in cipher block chaining mode or in cipher feedback |
mode. |
mode. |
.TP |
.It Fl o Ar N |
\-o |
|
Use |
Use |
.IR N -bit |
.Ar N Ns -bit |
output feedback mode. |
output feedback mode. |
Currently |
Currently |
.I N |
.Ar N |
must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
must be a multiple of 8 between 8 and 64 inclusive (this does not conform |
to the OFB mode specification). |
to the OFB mode specification). |
.TP |
.It Fl p |
\-p |
|
Disable the resetting of the parity bit. |
Disable the resetting of the parity bit. |
This flag forces the parity bit of the key to be used as typed, rather than |
This flag forces the parity bit of the key to be used as typed, rather than |
making each character be of odd parity. |
making each character be of odd parity. |
It is used only if the key is given in ASCII. |
It is used only if the key is given in ASCII. |
.TP |
.It Fl v Ar vector |
\-v |
|
Set the initialization vector to |
Set the initialization vector to |
.IR vector ; |
.Ar vector ; |
the vector is interpreted in the same way as the key. |
the vector is interpreted in the same way as the key. |
The vector is ignored in electronic codebook mode. |
The vector is ignored in electronic codebook mode. |
.PP |
For best security, a different |
|
initialization vector should be used for each file. |
|
.El |
|
.Pp |
The key and initialization vector are taken as sequences of ASCII |
The key and initialization vector are taken as sequences of ASCII |
characters which are then mapped into their bit representations. |
characters which are then mapped into their bit representations. |
If either begins with ``0X'' or ``0x'', |
If either begins with |
|
.Dq 0X |
|
or |
|
.Dq 0x , |
that one is taken as a sequence of hexadecimal digits indicating the |
that one is taken as a sequence of hexadecimal digits indicating the |
bit pattern; |
bit pattern; |
if either begins with ``0B'' or ``0b'', |
if either begins with |
|
.Dq 0B |
|
or |
|
.Dq 0b , |
that one is taken as a sequence of binary digits indicating the bit pattern. |
that one is taken as a sequence of binary digits indicating the bit pattern. |
In either case, |
In either case, |
only the leading 64 bits of the key or initialization vector |
only the leading 64 bits of the key or initialization vector |
are used, |
are used, |
and if fewer than 64 bits are provided, enough 0 bits are appended |
and if fewer than 64 bits are provided, enough 0 bits are appended |
to pad the key to 64 bits. |
to pad the key to 64 bits. |
.PP |
.Pp |
According to the DES standard, the low-order bit of each character in the |
According to the DES standard, the low-order bit of each character in the |
key string is deleted. |
key string is deleted. |
Since most ASCII representations set the high-order bit to 0, simply |
Since most ASCII representations set the high-order bit to 0, simply |
deleting the low-order bit effectively reduces the size of the key space |
deleting the low-order bit effectively reduces the size of the key space |
from 2\u\s-356\s0\d to 2\u\s-348\s0\d keys. |
from |
|
.if t 2\u\s-356\s0\d |
|
.if n 2**56 |
|
to |
|
.if t 2\u\s-348\s0\d |
|
.if n 2**48 |
|
keys. |
To prevent this, the high-order bit must be a function depending in part |
To prevent this, the high-order bit must be a function depending in part |
upon the low-order bit; so, the high-order bit is set to whatever value |
upon the low-order bit; so, the high-order bit is set to whatever value |
gives odd parity. |
gives odd parity. |
This preserves the key space size. |
This preserves the key space size. |
Note this resetting of the parity bit is |
Note this resetting of the parity bit is |
.I not |
.Em not |
done if the key is given in binary or hex, and can be disabled for ASCII |
done if the key is given in binary or hex, and can be disabled for ASCII |
keys as well. |
keys as well. |
.PP |
.Pp |
The DES is considered a very strong cryptosystem, and other than table lookup |
The DES is considered a strong cryptosystem hobbled by a short |
attacks, key search attacks, and Hellman's time-memory tradeoff (all of which |
key, and other than table lookup attacks, key search attacks, and |
are very expensive and time-consuming), no cryptanalytic methods for breaking |
Hellman's time-memory tradeoff (all of which are expensive and |
the DES are known in the open literature. |
time-consuming), no practical cryptanalytic methods for breaking the |
No doubt the choice of keys and key security are the most vulnerable aspect |
DES are known in the open literature. |
of |
As of this writing, the best |
.IR bdes . |
known cryptanalytic method is linear cryptanalysis, which requires an |
.SH IMPLEMENTATION NOTES |
average of |
|
.if t 2\u\s-343\s0\d |
|
.if n 2**43 |
|
known plaintext-ciphertext pairs to succeed. |
|
Unfortunately for the DES, key search attacks (requiring only |
|
a single known plaintext-ciphertext pair and trying |
|
.if t 2\u\s-355\s0\d |
|
.if n 2**55 |
|
keys on average) are becoming practical. |
|
.Pp |
|
As with all cryptosystems, the choice of keys and |
|
key security remain the most vulnerable aspect of |
|
.Nm . |
|
.Sh IMPLEMENTATION NOTES |
For implementors wishing to write software compatible with this program, |
For implementors wishing to write software compatible with this program, |
the following notes are provided. |
the following notes are provided. |
This software is believed to be compatible with the implementation of the |
This software is believed to be compatible with the implementation of the |
data encryption standard distributed by Sun Microsystems, Inc. |
data encryption standard distributed by Sun Microsystems, Inc. |
.PP |
.Pp |
In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, |
In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, |
also called a block). |
also called a block). |
To ensure that the plaintext file is encrypted correctly, |
To ensure that the plaintext file is encrypted correctly, |
.I bdes |
.Nm |
will (internally) append from 1 to 8 bytes, the last byte containing an |
will (internally) append from 1 to 8 bytes, the last byte containing an |
integer stating how many bytes of that final block are from the plaintext |
integer stating how many bytes of that final block are from the plaintext |
file, and encrypt the resulting block. |
file, and encrypt the resulting block. |
|
|
of bytes being used as the mode. |
of bytes being used as the mode. |
(This was another reason that the mode size must be a multiple of 8 for those |
(This was another reason that the mode size must be a multiple of 8 for those |
modes.) |
modes.) |
.PP |
.Pp |
Unlike Sun's implementation, unused bytes of that last block are not filled |
Unlike Sun's implementation, unused bytes of that last block are not filled |
with random data, but instead contain what was in those byte positions in |
with random data, but instead contain what was in those byte positions in |
the preceding block. |
the preceding block. |
This is quicker and more portable, and does not weaken the encryption |
This is quicker and more portable, and does not weaken the encryption |
significantly. |
significantly. |
.PP |
.Pp |
If the key is entered in ASCII, the parity bits of the key characters are set |
If the key is entered in ASCII, the parity bits of the key characters are set |
so that each key character is of odd parity. |
so that each key character is of odd parity. |
Unlike Sun's implementation, it is possible to enter binary or hexadecimal |
Unlike Sun's implementation, it is possible to enter binary or hexadecimal |
keys on the command line, and if this is done, the parity bits are |
keys on the command line, and if this is done, the parity bits are |
.I not |
.Em not |
reset. |
reset. |
This allows testing using arbitrary bit patterns as keys. |
This allows testing using arbitrary bit patterns as keys. |
.PP |
.Pp |
The Sun implementation always uses an initialization vector of 0 |
The Sun implementation always uses an initialization vector of 0 |
(that is, all zeroes). |
(that is, all zeroes). |
By default, |
By default, |
.I bdes |
.Nm |
does too, but this may be changed from the command line. |
does too, but this may be changed from the command line. |
.SH SEE ALSO |
.Sh SEE ALSO |
crypt(3), getpass(3) |
.Xr crypt 3 , |
.sp |
.Xr getpass 3 |
.IR "Data Encryption Standard" , |
.Pp |
|
.Em "Data Encryption Standard" , |
Federal Information Processing Standard #46, |
Federal Information Processing Standard #46, |
National Bureau of Standards, |
National Bureau of Standards, |
U.S. Department of Commerce, |
U.S. Department of Commerce, |
Washington DC |
Washington DC |
(Jan. 1977) |
(Jan. 1977). |
.sp |
.Pp |
.IR "DES Modes of Operation" , |
.Em "DES Modes of Operation" , |
Federal Information Processing Standard #81, |
Federal Information Processing Standard #81, |
National Bureau of Standards, |
National Bureau of Standards, |
U.S. Department of Commerce |
U.S. Department of Commerce |
Washington DC |
Washington DC |
(Dec. 1980) |
(Dec. 1980). |
.sp |
.Pp |
Dorothy Denning, |
Dorothy Denning, |
.IR "Cryptography and Data Security" , |
.Em "Cryptography and Data Security" , |
Addison-Wesley Publishing Co., |
Addison-Wesley Publishing Co., |
Reading, MA |
Reading, MA |
\(co1982. |
\(co1982. |
.sp |
.Pp |
Matt Bishop, |
Matt Bishop, |
.IR "Implementation Notes on bdes(1)" , |
.Em "Implementation Notes on bdes(1)" , |
Technical Report PCS-TR-91-158, |
Technical Report PCS-TR-91-158, |
Department of Mathematics and Computer Science, |
Department of Mathematics and Computer Science, |
Dartmouth College, |
Dartmouth College, |
Hanover, NH 03755 |
Hanover, NH 03755 |
(Apr. 1991). |
(Apr. 1991). |
.SH DISCLAIMER |
.Pp |
.nf |
M.J. Wiener, |
THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND |
.Em "Efficient DES Key Search" , |
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
Technical Report 244, |
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
School of Computer Science, |
ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE |
Carleton University |
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
(May 1994). |
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
.Pp |
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
Bruce Schneier, |
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
.Em "Applied Cryptography (2nd edition)" , |
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
John Wiley \*[Am] Sons, Inc., |
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
New York, NY |
SUCH DAMAGE. |
\(co1996. |
.fi |
.Pp |
.SH BUGS |
M. Matsui, |
There is a controversy raging over whether the DES will still be secure |
.Em "Linear Cryptanalysis Method for DES Cipher" , |
in a few years. |
Advances in Cryptology -- Eurocrypt '93 Proceedings, |
The advent of special-purpose hardware could reduce the cost of any of the |
Springer-Verlag |
methods of attack named above so that they are no longer computationally |
\(co1994. |
infeasible. |
.Pp |
.PP |
Blaze, Diffie, Rivest, Schneier, Shimomura, Thompson, and Wiener, |
|
.Em "Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Security" , |
|
Business Software Alliance, |
|
http://www.bsa.org/policy/encryption/cryptographers.html |
|
(January 1996). |
|
.Sh BUGS |
|
When this document was originally written, there was a controversy |
|
raging over whether the DES would still be secure in a few years. |
|
There is now near-universal consensus in the cryptographic community |
|
that the key length of the DES is far too short. |
|
The advent of |
|
special-purpose hardware could reduce the cost of any of the methods |
|
of attack named above so that they are no longer computationally |
|
infeasible; in addition, the explosive growth in the number and speed |
|
of modern microprocessors as well as advances in programmable logic |
|
devices has brought an attack using only commodity hardware into the |
|
realm of possibility. |
|
Schneier and others currently recommend using |
|
cryptosystems with keys of at least 90 bits when long-term security is |
|
needed. |
|
.Pp |
As the key or key schedule is stored in memory, the encryption can be |
As the key or key schedule is stored in memory, the encryption can be |
compromised if memory is readable. |
compromised if memory is readable. |
Additionally, programs which display programs' arguments may compromise the |
Additionally, programs which display programs' arguments may compromise the |
key and initialization vector, if they are specified on the command line. |
key and initialization vector, if they are specified on the command line. |
To avoid this |
To avoid this |
.I bdes |
.Nm |
overwrites its arguments; however, the obvious race cannot currently be |
overwrites its arguments, however, the obvious race cannot currently be |
avoided. |
avoided. |
.PP |
.Pp |
Certain specific keys should be avoided because they introduce potential |
Certain specific keys should be avoided because they introduce potential |
weaknesses; these keys, called the |
weaknesses; these keys, called the |
.I weak |
.Em weak |
and |
and |
.I semiweak |
.Em semiweak |
keys, are (in hex notation, where p is either 0 or 1, and P is either |
keys, are (in hex notation, where p is either 0 or 1, and P is either |
e or f): |
e or f): |
.sp |
.Bd -literal -offset indent |
.nf |
|
.in +10n |
|
.ta \w'0x0p0p0p0p0p0p0p0p\0\0\0'u+5n |
|
0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P |
0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P |
0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP |
0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP |
0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P |
0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P |
|
|
0xepepepepepepepep 0xepfPepfPfpfPfpfP |
0xepepepepepepepep 0xepfPepfPfpfPfpfP |
0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P |
0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P |
0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP |
0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP |
.fi |
.Ed |
.in -10n |
.Pp |
.sp |
|
This is inherent in the DES algorithm (see Moore and Simmons, |
This is inherent in the DES algorithm (see Moore and Simmons, |
\*(LqCycle structure of the DES with weak and semi-weak keys,\*(Rq |
.Do |
.I "Advances in Cryptology \- Crypto '86 Proceedings" , |
Cycle structure of the DES with weak and semi-weak keys |
|
.Dc , |
|
.Em "Advances in Cryptology \- Crypto '86 Proceedings" , |
Springer-Verlag New York, \(co1987, pp. 9-32.) |
Springer-Verlag New York, \(co1987, pp. 9-32.) |