Annotation of src/usr.bin/bdes/bdes.1, Revision 1.10
1.10 ! jmc 1: .\" $OpenBSD: bdes.1,v 1.9 2004/12/03 15:18:14 jsg Exp $
1.7 otto 2: .\" $NetBSD: bdes.1,v 1.11 2003/08/07 11:13:11 agc Exp $
1.1 deraadt 3: .\"
4: .\" Copyright (c) 1991, 1993
5: .\" The Regents of the University of California. All rights reserved.
6: .\"
7: .\" This code is derived from software contributed to Berkeley by
8: .\" Matt Bishop of Dartmouth College.
9: .\"
10: .\" Redistribution and use in source and binary forms, with or without
11: .\" modification, are permitted provided that the following conditions
12: .\" are met:
13: .\" 1. Redistributions of source code must retain the above copyright
14: .\" notice, this list of conditions and the following disclaimer.
15: .\" 2. Redistributions in binary form must reproduce the above copyright
16: .\" notice, this list of conditions and the following disclaimer in the
17: .\" documentation and/or other materials provided with the distribution.
1.6 millert 18: .\" 3. Neither the name of the University nor the names of its contributors
1.1 deraadt 19: .\" may be used to endorse or promote products derived from this software
20: .\" without specific prior written permission.
21: .\"
22: .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23: .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24: .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25: .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26: .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27: .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28: .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29: .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30: .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31: .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32: .\" SUCH DAMAGE.
33: .\"
34: .\" @(#)bdes.1 8.1 (Berkeley) 6/29/93
35: .\"
1.10 ! jmc 36: .Dd $Mdocdate$
1.7 otto 37: .Dt BDES 1
38: .Os
39: .Sh NAME
40: .Nm bdes
41: .Nd encrypt/decrypt using the Data Encryption Standard
42: .Sh SYNOPSIS
43: .Nm
44: .Op Fl abdp
45: .Op Fl F Ar N
46: .Op Fl f Ar N
47: .Op Fl k Ar key
48: .Op Fl m Ar N
49: .Op Fl o Ar N
50: .Op Fl v Ar vector
51: .Sh DESCRIPTION
52: .Nm
1.5 aaron 53: implements all DES modes of operation described in FIPS PUB 81,
1.1 deraadt 54: including alternative cipher feedback mode and both authentication
55: modes.
1.7 otto 56: .Nm
1.1 deraadt 57: reads from the standard input and writes to the standard output.
58: By default, the input is encrypted using cipher block chaining mode.
59: Using the same key for encryption and decryption preserves plain text.
1.7 otto 60: .Pp
1.1 deraadt 61: All modes but the electronic code book mode require an initialization
62: vector; if none is supplied, the zero vector is used.
63: If no
1.7 otto 64: .Ar key
1.1 deraadt 65: is specified on the command line, the user is prompted for one (see
1.7 otto 66: .Xr getpass 3
1.1 deraadt 67: for more details).
1.7 otto 68: .Pp
1.1 deraadt 69: The options are as follows:
1.7 otto 70: .Bl -tag -width "-v vector"
71: .It Fl a
1.1 deraadt 72: The key and initialization vector strings are to be taken as ASCII,
1.7 otto 73: suppressing the special interpretation given to leading
74: .Dq 0X ,
75: .Dq 0x ,
76: .Dq 0B
77: and
78: .Dq 0b
79: characters.
1.1 deraadt 80: This flag applies to
1.7 otto 81: .Em both
1.1 deraadt 82: the key and initialization vector.
1.7 otto 83: .It Fl b
1.1 deraadt 84: Use electronic code book mode.
1.7 otto 85: This is not recommended for messages
86: longer than 8 bytes, as patterns in the input will show through to the
87: output.
88: .It Fl d
1.1 deraadt 89: Decrypt the input.
1.7 otto 90: .It Fl F Ar N
1.1 deraadt 91: Use
1.7 otto 92: .Ar N Ns -bit
1.1 deraadt 93: alternative cipher feedback mode.
94: Currently
1.7 otto 95: .Ar N
1.1 deraadt 96: must be a multiple of 7 between 7 and 56 inclusive (this does not conform
97: to the alternative CFB mode specification).
1.7 otto 98: .It Fl f Ar N
1.1 deraadt 99: Use
1.7 otto 100: .Ar N Ns -bit
1.1 deraadt 101: cipher feedback mode.
102: Currently
1.7 otto 103: .Ar N
1.1 deraadt 104: must be a multiple of 8 between 8 and 64 inclusive (this does not conform
105: to the standard CFB mode specification).
1.7 otto 106: .It Fl k Ar key
1.1 deraadt 107: Use
1.7 otto 108: .Ar key
1.1 deraadt 109: as the cryptographic key.
1.7 otto 110: .It Fl m Ar N
1.1 deraadt 111: Compute a message authentication code (MAC) of
1.7 otto 112: .Ar N
1.1 deraadt 113: bits on the input.
114: The value of
1.7 otto 115: .Ar N
1.1 deraadt 116: must be between 1 and 64 inclusive; if
1.7 otto 117: .Ar N
1.1 deraadt 118: is not a multiple of 8, enough 0 bits will be added to pad the MAC length
119: to the nearest multiple of 8.
120: Only the MAC is output.
121: MACs are only available in cipher block chaining mode or in cipher feedback
122: mode.
1.7 otto 123: .It Fl o Ar N
1.1 deraadt 124: Use
1.7 otto 125: .Ar N Ns -bit
1.1 deraadt 126: output feedback mode.
127: Currently
1.7 otto 128: .Ar N
1.1 deraadt 129: must be a multiple of 8 between 8 and 64 inclusive (this does not conform
130: to the OFB mode specification).
1.7 otto 131: .It Fl p
1.1 deraadt 132: Disable the resetting of the parity bit.
133: This flag forces the parity bit of the key to be used as typed, rather than
134: making each character be of odd parity.
135: It is used only if the key is given in ASCII.
1.7 otto 136: .It Fl v Ar vector
1.1 deraadt 137: Set the initialization vector to
1.7 otto 138: .Ar vector ;
1.1 deraadt 139: the vector is interpreted in the same way as the key.
140: The vector is ignored in electronic codebook mode.
1.7 otto 141: For best security, a different
142: initialization vector should be used for each file.
143: .El
144: .Pp
1.1 deraadt 145: The key and initialization vector are taken as sequences of ASCII
146: characters which are then mapped into their bit representations.
1.7 otto 147: If either begins with
148: .Dq 0X
149: or
150: .Dq 0x ,
1.1 deraadt 151: that one is taken as a sequence of hexadecimal digits indicating the
152: bit pattern;
1.7 otto 153: if either begins with
154: .Dq 0B
155: or
156: .Dq 0b ,
1.1 deraadt 157: that one is taken as a sequence of binary digits indicating the bit pattern.
158: In either case,
159: only the leading 64 bits of the key or initialization vector
160: are used,
161: and if fewer than 64 bits are provided, enough 0 bits are appended
162: to pad the key to 64 bits.
1.7 otto 163: .Pp
1.1 deraadt 164: According to the DES standard, the low-order bit of each character in the
165: key string is deleted.
166: Since most ASCII representations set the high-order bit to 0, simply
167: deleting the low-order bit effectively reduces the size of the key space
1.7 otto 168: from
169: .if t 2\u\s-356\s0\d
170: .if n 2**56
171: to
172: .if t 2\u\s-348\s0\d
173: .if n 2**48
174: keys.
1.1 deraadt 175: To prevent this, the high-order bit must be a function depending in part
176: upon the low-order bit; so, the high-order bit is set to whatever value
177: gives odd parity.
178: This preserves the key space size.
179: Note this resetting of the parity bit is
1.7 otto 180: .Em not
1.1 deraadt 181: done if the key is given in binary or hex, and can be disabled for ASCII
182: keys as well.
1.7 otto 183: .Pp
184: The DES is considered a strong cryptosystem hobbled by a short
185: key, and other than table lookup attacks, key search attacks, and
186: Hellman's time-memory tradeoff (all of which are expensive and
187: time-consuming), no practical cryptanalytic methods for breaking the
188: DES are known in the open literature.
189: As of this writing, the best
190: known cryptanalytic method is linear cryptanalysis, which requires an
191: average of
192: .if t 2\u\s-343\s0\d
193: .if n 2**43
194: known plaintext-ciphertext pairs to succeed.
195: Unfortunately for the DES, key search attacks (requiring only
196: a single known plaintext-ciphertext pair and trying
197: .if t 2\u\s-355\s0\d
198: .if n 2**55
199: keys on average) are becoming practical.
200: .Pp
201: As with all cryptosystems, the choice of keys and
202: key security remain the most vulnerable aspect of
203: .Nm .
204: .Sh IMPLEMENTATION NOTES
1.1 deraadt 205: For implementors wishing to write software compatible with this program,
206: the following notes are provided.
207: This software is believed to be compatible with the implementation of the
208: data encryption standard distributed by Sun Microsystems, Inc.
1.7 otto 209: .Pp
1.1 deraadt 210: In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes,
211: also called a block).
212: To ensure that the plaintext file is encrypted correctly,
1.7 otto 213: .Nm
1.1 deraadt 214: will (internally) append from 1 to 8 bytes, the last byte containing an
215: integer stating how many bytes of that final block are from the plaintext
216: file, and encrypt the resulting block.
217: Hence, when decrypting, the last block may contain from 0 to 7 characters
218: present in the plaintext file, and the last byte tells how many.
219: Note that if during decryption the last byte of the file does not contain an
220: integer between 0 and 7, either the file has been corrupted or an incorrect
221: key has been given.
222: A similar mechanism is used for the OFB and CFB modes, except that those
223: simply require the length of the input to be a multiple of the mode size,
224: and the final byte contains an integer between 0 and one less than the number
225: of bytes being used as the mode.
226: (This was another reason that the mode size must be a multiple of 8 for those
227: modes.)
1.7 otto 228: .Pp
1.1 deraadt 229: Unlike Sun's implementation, unused bytes of that last block are not filled
230: with random data, but instead contain what was in those byte positions in
231: the preceding block.
232: This is quicker and more portable, and does not weaken the encryption
233: significantly.
1.7 otto 234: .Pp
1.1 deraadt 235: If the key is entered in ASCII, the parity bits of the key characters are set
236: so that each key character is of odd parity.
237: Unlike Sun's implementation, it is possible to enter binary or hexadecimal
238: keys on the command line, and if this is done, the parity bits are
1.7 otto 239: .Em not
1.1 deraadt 240: reset.
241: This allows testing using arbitrary bit patterns as keys.
1.7 otto 242: .Pp
1.1 deraadt 243: The Sun implementation always uses an initialization vector of 0
244: (that is, all zeroes).
245: By default,
1.7 otto 246: .Nm
1.1 deraadt 247: does too, but this may be changed from the command line.
1.7 otto 248: .Sh SEE ALSO
249: .Xr crypt 3 ,
250: .Xr getpass 3
1.8 jmc 251: .Rs
252: .%T Data Encryption Standard
253: .%R Federal Information Processing Standard #46
254: .%Q National Bureau of Standards, U.S. Department of Commerce
255: .\" should be .%C as soon as it's supported.
256: .%O Washington DC
257: .%D January 1977
258: .Re
259: .Rs
260: .%T DES Modes of Operation
261: .%R Federal Information Processing Standard #81
262: .%Q National Bureau of Standards, U.S. Department of Commerce
263: .\" should be .%C as soon as it's supported.
264: .%O Washington DC
265: .%D December 1980
266: .Re
267: .Rs
268: .%A Dorothy Denning
269: .%T Cryptography and Data Security
270: .%I Addison-Wesley Publishing Co.
271: .\" should be .%C as soon as it's supported.
272: .%O Reading, MA
273: .%D 1982
274: .Re
275: .Rs
276: .%A Matt Bishop
277: .%T Implementation Notes on bdes(1)
278: .%R Technical Report PCS-TR-91-158
279: .%Q Department of Mathematics and Computer Science, Dartmouth College
280: .\" should be .%C as soon as it's supported.
281: .%O Hanover, NH 03755
282: .%D April 1991
283: .Re
284: .Rs
285: .%A M.J. Wiener
286: .%T Efficient DES Key Search
287: .%R Technical Report 244
288: .%Q School of Computer Science, Carleton University
289: .%D May 1994
290: .Re
291: .Rs
292: .%A Bruce Schneier
293: .%T Applied Cryptography (2nd edition)
294: .%I John Wiley & Sons, Inc.
295: .%O New York, NY
296: .\" should be .%C as soon as it's supported.
297: .%D 1996
298: .Re
299: .Rs
300: .%A M. Matsui
301: .%T Linear Cryptanalysis Method for DES Cipher
302: .%R Advances in Cryptology \(em Eurocrypt '93 Proceedings
303: .%I Springer-Verlag
304: .%D 1994
305: .Re
306: .Rs
307: .%A Blaze
308: .%A Diffie
309: .%A Rivest
310: .%A Schneier
311: .%A Shimomura
312: .%A Thompson
313: .%A Wiener
314: .%T "Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Security"
315: .%D January 1996
316: .Re
1.7 otto 317: .Sh BUGS
318: When this document was originally written, there was a controversy
319: raging over whether the DES would still be secure in a few years.
320: There is now near-universal consensus in the cryptographic community
321: that the key length of the DES is far too short.
322: The advent of
323: special-purpose hardware could reduce the cost of any of the methods
324: of attack named above so that they are no longer computationally
325: infeasible; in addition, the explosive growth in the number and speed
326: of modern microprocessors as well as advances in programmable logic
327: devices has brought an attack using only commodity hardware into the
328: realm of possibility.
329: Schneier and others currently recommend using
330: cryptosystems with keys of at least 90 bits when long-term security is
331: needed.
332: .Pp
1.1 deraadt 333: As the key or key schedule is stored in memory, the encryption can be
334: compromised if memory is readable.
335: Additionally, programs which display programs' arguments may compromise the
336: key and initialization vector, if they are specified on the command line.
337: To avoid this
1.7 otto 338: .Nm
339: overwrites its arguments, however, the obvious race cannot currently be
1.1 deraadt 340: avoided.
1.7 otto 341: .Pp
1.1 deraadt 342: Certain specific keys should be avoided because they introduce potential
343: weaknesses; these keys, called the
1.7 otto 344: .Em weak
1.1 deraadt 345: and
1.7 otto 346: .Em semiweak
1.1 deraadt 347: keys, are (in hex notation, where p is either 0 or 1, and P is either
348: e or f):
1.7 otto 349: .Bd -literal -offset indent
1.1 deraadt 350: 0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P
351: 0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP
352: 0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P
353: 0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP
354: 0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P
355: 0xepepepepepepepep 0xepfPepfPfpfPfpfP
356: 0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P
357: 0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP
1.7 otto 358: .Ed
359: .Pp
1.1 deraadt 360: This is inherent in the DES algorithm (see Moore and Simmons,
1.7 otto 361: .Do
362: Cycle structure of the DES with weak and semi-weak keys
363: .Dc ,
364: .Em "Advances in Cryptology \- Crypto '86 Proceedings" ,
1.1 deraadt 365: Springer-Verlag New York, \(co1987, pp. 9-32.)