Annotation of src/usr.bin/bdes/bdes.1, Revision 1.1.1.1
1.1 deraadt 1: .\" $NetBSD: bdes.1,v 1.1 1995/07/24 04:30:51 cgd Exp $
2: .\"
3: .\" Copyright (c) 1991, 1993
4: .\" The Regents of the University of California. All rights reserved.
5: .\"
6: .\" This code is derived from software contributed to Berkeley by
7: .\" Matt Bishop of Dartmouth College.
8: .\"
9: .\" Redistribution and use in source and binary forms, with or without
10: .\" modification, are permitted provided that the following conditions
11: .\" are met:
12: .\" 1. Redistributions of source code must retain the above copyright
13: .\" notice, this list of conditions and the following disclaimer.
14: .\" 2. Redistributions in binary form must reproduce the above copyright
15: .\" notice, this list of conditions and the following disclaimer in the
16: .\" documentation and/or other materials provided with the distribution.
17: .\" 3. All advertising materials mentioning features or use of this software
18: .\" must display the following acknowledgement:
19: .\" This product includes software developed by the University of
20: .\" California, Berkeley and its contributors.
21: .\" 4. Neither the name of the University nor the names of its contributors
22: .\" may be used to endorse or promote products derived from this software
23: .\" without specific prior written permission.
24: .\"
25: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
26: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
27: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
28: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
29: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
30: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
31: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
32: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
33: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
34: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35: .\" SUCH DAMAGE.
36: .\"
37: .\" @(#)bdes.1 8.1 (Berkeley) 6/29/93
38: .\"
39: .TH BDES 1 "June 29, 1993"
40: .UC 6
41: .SH NAME
42: bdes \- encrypt/decrypt using the Data Encryption Standard
43: .SH SYNOPSIS
44: .nf
45: .ft B
46: bdes [ \-abdp ] [ \-F N ] [ \-f N ] [ \-k key ]
47: .ti +5
48: [ \-m N ] [ \-o N ] [ \-v vector ]
49: .ft R
50: .fi
51: .SH WARNING
52: The
53: .I bdes
54: program installed on this system does not support
55: encryption, because it was obtained as part of the
56: ``exportable'' distribution of
57: .IR NetBSD .
58: .SH DESCRIPTION
59: .I Bdes
60: implements all DES modes of operation described in FIPS PUB 81,
61: including alternative cipher feedback mode and both authentication
62: modes.
63: .I Bdes
64: reads from the standard input and writes to the standard output.
65: By default, the input is encrypted using cipher block chaining mode.
66: Using the same key for encryption and decryption preserves plain text.
67: .PP
68: All modes but the electronic code book mode require an initialization
69: vector; if none is supplied, the zero vector is used.
70: If no
71: .I key
72: is specified on the command line, the user is prompted for one (see
73: .IR getpass (3)
74: for more details).
75: .PP
76: The options are as follows:
77: .TP
78: \-a
79: The key and initialization vector strings are to be taken as ASCII,
80: suppressing the special interpretation given to leading ``0X'', ``0x'',
81: ``0B'', and ``0b'' characters.
82: This flag applies to
83: .I both
84: the key and initialization vector.
85: .TP
86: \-b
87: Use electronic code book mode.
88: .TP
89: \-d
90: Decrypt the input.
91: .TP
92: \-F
93: Use
94: .IR N -bit
95: alternative cipher feedback mode.
96: Currently
97: .I N
98: must be a multiple of 7 between 7 and 56 inclusive (this does not conform
99: to the alternative CFB mode specification).
100: .TP
101: \-f
102: Use
103: .IR N -bit
104: cipher feedback mode.
105: Currently
106: .I N
107: must be a multiple of 8 between 8 and 64 inclusive (this does not conform
108: to the standard CFB mode specification).
109: .TP
110: \-k
111: Use
112: .I key
113: as the cryptographic key.
114: .TP
115: \-m
116: Compute a message authentication code (MAC) of
117: .I N
118: bits on the input.
119: The value of
120: .I N
121: must be between 1 and 64 inclusive; if
122: .I N
123: is not a multiple of 8, enough 0 bits will be added to pad the MAC length
124: to the nearest multiple of 8.
125: Only the MAC is output.
126: MACs are only available in cipher block chaining mode or in cipher feedback
127: mode.
128: .TP
129: \-o
130: Use
131: .IR N -bit
132: output feedback mode.
133: Currently
134: .I N
135: must be a multiple of 8 between 8 and 64 inclusive (this does not conform
136: to the OFB mode specification).
137: .TP
138: \-p
139: Disable the resetting of the parity bit.
140: This flag forces the parity bit of the key to be used as typed, rather than
141: making each character be of odd parity.
142: It is used only if the key is given in ASCII.
143: .TP
144: \-v
145: Set the initialization vector to
146: .IR vector ;
147: the vector is interpreted in the same way as the key.
148: The vector is ignored in electronic codebook mode.
149: .PP
150: The key and initialization vector are taken as sequences of ASCII
151: characters which are then mapped into their bit representations.
152: If either begins with ``0X'' or ``0x'',
153: that one is taken as a sequence of hexadecimal digits indicating the
154: bit pattern;
155: if either begins with ``0B'' or ``0b'',
156: that one is taken as a sequence of binary digits indicating the bit pattern.
157: In either case,
158: only the leading 64 bits of the key or initialization vector
159: are used,
160: and if fewer than 64 bits are provided, enough 0 bits are appended
161: to pad the key to 64 bits.
162: .PP
163: According to the DES standard, the low-order bit of each character in the
164: key string is deleted.
165: Since most ASCII representations set the high-order bit to 0, simply
166: deleting the low-order bit effectively reduces the size of the key space
167: from 2\u\s-356\s0\d to 2\u\s-348\s0\d keys.
168: To prevent this, the high-order bit must be a function depending in part
169: upon the low-order bit; so, the high-order bit is set to whatever value
170: gives odd parity.
171: This preserves the key space size.
172: Note this resetting of the parity bit is
173: .I not
174: done if the key is given in binary or hex, and can be disabled for ASCII
175: keys as well.
176: .PP
177: The DES is considered a very strong cryptosystem, and other than table lookup
178: attacks, key search attacks, and Hellman's time-memory tradeoff (all of which
179: are very expensive and time-consuming), no cryptanalytic methods for breaking
180: the DES are known in the open literature.
181: No doubt the choice of keys and key security are the most vulnerable aspect
182: of
183: .IR bdes .
184: .SH IMPLEMENTATION NOTES
185: For implementors wishing to write software compatible with this program,
186: the following notes are provided.
187: This software is believed to be compatible with the implementation of the
188: data encryption standard distributed by Sun Microsystems, Inc.
189: .PP
190: In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes,
191: also called a block).
192: To ensure that the plaintext file is encrypted correctly,
193: .I bdes
194: will (internally) append from 1 to 8 bytes, the last byte containing an
195: integer stating how many bytes of that final block are from the plaintext
196: file, and encrypt the resulting block.
197: Hence, when decrypting, the last block may contain from 0 to 7 characters
198: present in the plaintext file, and the last byte tells how many.
199: Note that if during decryption the last byte of the file does not contain an
200: integer between 0 and 7, either the file has been corrupted or an incorrect
201: key has been given.
202: A similar mechanism is used for the OFB and CFB modes, except that those
203: simply require the length of the input to be a multiple of the mode size,
204: and the final byte contains an integer between 0 and one less than the number
205: of bytes being used as the mode.
206: (This was another reason that the mode size must be a multiple of 8 for those
207: modes.)
208: .PP
209: Unlike Sun's implementation, unused bytes of that last block are not filled
210: with random data, but instead contain what was in those byte positions in
211: the preceding block.
212: This is quicker and more portable, and does not weaken the encryption
213: significantly.
214: .PP
215: If the key is entered in ASCII, the parity bits of the key characters are set
216: so that each key character is of odd parity.
217: Unlike Sun's implementation, it is possible to enter binary or hexadecimal
218: keys on the command line, and if this is done, the parity bits are
219: .I not
220: reset.
221: This allows testing using arbitrary bit patterns as keys.
222: .PP
223: The Sun implementation always uses an initialization vector of 0
224: (that is, all zeroes).
225: By default,
226: .I bdes
227: does too, but this may be changed from the command line.
228: .SH SEE ALSO
229: crypt(1), crypt(3), getpass(3)
230: .sp
231: .IR "Data Encryption Standard" ,
232: Federal Information Processing Standard #46,
233: National Bureau of Standards,
234: U.S. Department of Commerce,
235: Washington DC
236: (Jan. 1977)
237: .sp
238: .IR "DES Modes of Operation" ,
239: Federal Information Processing Standard #81,
240: National Bureau of Standards,
241: U.S. Department of Commerce
242: Washington DC
243: (Dec. 1980)
244: .sp
245: Dorothy Denning,
246: .IR "Cryptography and Data Security" ,
247: Addison-Wesley Publishing Co.,
248: Reading, MA
249: \(co1982.
250: .sp
251: Matt Bishop,
252: .IR "Implementation Notes on bdes(1)" ,
253: Technical Report PCS-TR-91-158,
254: Department of Mathematics and Computer Science,
255: Dartmouth College,
256: Hanover, NH 03755
257: (Apr. 1991).
258: .SH DISCLAIMER
259: .nf
260: THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
261: ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
262: IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
263: ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
264: FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
265: DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
266: OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
267: HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
268: LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
269: OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
270: SUCH DAMAGE.
271: .fi
272: .SH BUGS
273: There is a controversy raging over whether the DES will still be secure
274: in a few years.
275: The advent of special-purpose hardware could reduce the cost of any of the
276: methods of attack named above so that they are no longer computationally
277: infeasible.
278: .PP
279: As the key or key schedule is stored in memory, the encryption can be
280: compromised if memory is readable.
281: Additionally, programs which display programs' arguments may compromise the
282: key and initialization vector, if they are specified on the command line.
283: To avoid this
284: .I bdes
285: overwrites its arguments, however, the obvious race cannot currently be
286: avoided.
287: .PP
288: Certain specific keys should be avoided because they introduce potential
289: weaknesses; these keys, called the
290: .I weak
291: and
292: .I semiweak
293: keys, are (in hex notation, where p is either 0 or 1, and P is either
294: e or f):
295: .sp
296: .nf
297: .in +10n
298: .ta \w'0x0p0p0p0p0p0p0p0p\0\0\0'u+5n
299: 0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P
300: 0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP
301: 0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P
302: 0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP
303: 0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P
304: 0xepepepepepepepep 0xepfPepfPfpfPfpfP
305: 0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P
306: 0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP
307: .fi
308: .in -10n
309: .sp
310: This is inherent in the DES algorithm (see Moore and Simmons,
311: \*(LqCycle structure of the DES with weak and semi-weak keys,\*(Rq
312: .I "Advances in Cryptology \- Crypto '86 Proceedings" ,
313: Springer-Verlag New York, \(co1987, pp. 9-32.)