367 lines
12 KiB
Groff
367 lines
12 KiB
Groff
|
.\" $NetBSD: bdes.1,v 1.14 2010/01/15 19:40:17 joerg Exp $
|
||
|
.\"
|
||
|
.\" Copyright (c) 1991, 1993
|
||
|
.\" The Regents of the University of California. All rights reserved.
|
||
|
.\"
|
||
|
.\" This code is derived from software contributed to Berkeley by
|
||
|
.\" Matt Bishop of Dartmouth College.
|
||
|
.\"
|
||
|
.\" Redistribution and use in source and binary forms, with or without
|
||
|
.\" modification, are permitted provided that the following conditions
|
||
|
.\" are met:
|
||
|
.\" 1. Redistributions of source code must retain the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer.
|
||
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||
|
.\" notice, this list of conditions and the following disclaimer in the
|
||
|
.\" documentation and/or other materials provided with the distribution.
|
||
|
.\" 3. Neither the name of the University nor the names of its contributors
|
||
|
.\" may be used to endorse or promote products derived from this software
|
||
|
.\" without specific prior written permission.
|
||
|
.\"
|
||
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
||
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
||
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||
|
.\" SUCH DAMAGE.
|
||
|
.\"
|
||
|
.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93
|
||
|
.\"
|
||
|
.Dd December 1, 2001
|
||
|
.Dt BDES 1
|
||
|
.Os
|
||
|
.Sh NAME
|
||
|
.Nm bdes
|
||
|
.Nd encrypt/decrypt using the Data Encryption Standard
|
||
|
.Sh SYNOPSIS
|
||
|
.Nm
|
||
|
.Op Fl abdp
|
||
|
.Op Fl F Ar N
|
||
|
.Op Fl f Ar N
|
||
|
.Op Fl k Ar key
|
||
|
.Op Fl m Ar N
|
||
|
.Op Fl o Ar N
|
||
|
.Op Fl v Ar vector
|
||
|
.Sh DESCRIPTION
|
||
|
.Nm
|
||
|
implements all DES modes of operation described in FIPS PUB 81,
|
||
|
including alternative cipher feedback mode and both authentication
|
||
|
modes.
|
||
|
.Nm
|
||
|
reads from the standard input and writes to the standard output.
|
||
|
By default, the input is encrypted using cipher block chaining mode.
|
||
|
Using the same key for encryption and decryption preserves plain text.
|
||
|
.Pp
|
||
|
All modes but the electronic code book mode require an initialization
|
||
|
vector; if none is supplied, the zero vector is used.
|
||
|
If no
|
||
|
.Ar key
|
||
|
is specified on the command line, the user is prompted for one (see
|
||
|
.Xr getpass 3
|
||
|
for more details).
|
||
|
.Pp
|
||
|
The options are as follows:
|
||
|
.Bl -tag -width "-v vector" -compact
|
||
|
.It Fl a
|
||
|
The key and initialization vector strings are to be taken as ASCII,
|
||
|
suppressing the special interpretation given to leading
|
||
|
.Dq 0X ,
|
||
|
.Dq 0x ,
|
||
|
.Dq 0B ,
|
||
|
and
|
||
|
.Dq 0b
|
||
|
characters.
|
||
|
This flag applies to
|
||
|
.Em both
|
||
|
the key and initialization vector.
|
||
|
.It Fl b
|
||
|
Use electronic code book mode.
|
||
|
This is not recommended for messages
|
||
|
longer than 8 bytes, as patterns in the input will show through to the
|
||
|
output.
|
||
|
.It Fl d
|
||
|
Decrypt the input.
|
||
|
.It Fl F Ar N
|
||
|
Use
|
||
|
.Ar N Ns -bit
|
||
|
alternative cipher feedback mode.
|
||
|
Currently
|
||
|
.Ar N
|
||
|
must be a multiple of 7 between 7 and 56 inclusive (this does not conform
|
||
|
to the alternative CFB mode specification).
|
||
|
.It Fl f Ar N
|
||
|
Use
|
||
|
.Ar N Ns -bit
|
||
|
cipher feedback mode.
|
||
|
Currently
|
||
|
.Ar N
|
||
|
must be a multiple of 8 between 8 and 64 inclusive (this does not conform
|
||
|
to the standard CFB mode specification).
|
||
|
.It Fl k Ar key
|
||
|
Use
|
||
|
.Ar key
|
||
|
as the cryptographic key.
|
||
|
.It Fl m Ar N
|
||
|
Compute a message authentication code (MAC) of
|
||
|
.Ar N
|
||
|
bits on the input.
|
||
|
The value of
|
||
|
.Ar N
|
||
|
must be between 1 and 64 inclusive; if
|
||
|
.Ar N
|
||
|
is not a multiple of 8, enough 0 bits will be added to pad the MAC length
|
||
|
to the nearest multiple of 8.
|
||
|
Only the MAC is output.
|
||
|
MACs are only available in cipher block chaining mode or in cipher feedback
|
||
|
mode.
|
||
|
.It Fl o Ar N
|
||
|
Use
|
||
|
.Ar N Ns -bit
|
||
|
output feedback mode.
|
||
|
Currently
|
||
|
.Ar N
|
||
|
must be a multiple of 8 between 8 and 64 inclusive (this does not conform
|
||
|
to the OFB mode specification).
|
||
|
.It Fl p
|
||
|
Disable the resetting of the parity bit.
|
||
|
This flag forces the parity bit of the key to be used as typed, rather than
|
||
|
making each character be of odd parity.
|
||
|
It is used only if the key is given in ASCII.
|
||
|
.It Fl v Ar vector
|
||
|
Set the initialization vector to
|
||
|
.Ar vector ;
|
||
|
the vector is interpreted in the same way as the key.
|
||
|
The vector is ignored in electronic codebook mode.
|
||
|
For best security, a different
|
||
|
initialization vector should be used for each file.
|
||
|
.El
|
||
|
.Pp
|
||
|
The key and initialization vector are taken as sequences of ASCII
|
||
|
characters which are then mapped into their bit representations.
|
||
|
If either begins with
|
||
|
.Dq 0X
|
||
|
or
|
||
|
.Dq 0x ,
|
||
|
that one is taken as a sequence of hexadecimal digits indicating the
|
||
|
bit pattern;
|
||
|
if either begins with
|
||
|
.Dq 0B
|
||
|
or
|
||
|
.Dq 0b ,
|
||
|
that one is taken as a sequence of binary digits indicating the bit pattern.
|
||
|
In either case,
|
||
|
only the leading 64 bits of the key or initialization vector
|
||
|
are used,
|
||
|
and if fewer than 64 bits are provided, enough 0 bits are appended
|
||
|
to pad the key to 64 bits.
|
||
|
.Pp
|
||
|
According to the DES standard, the low-order bit of each character in the
|
||
|
key string is deleted.
|
||
|
Since most ASCII representations set the high-order bit to 0, simply
|
||
|
deleting the low-order bit effectively reduces the size of the key space
|
||
|
from
|
||
|
.if t 2\u\s-356\s0\d
|
||
|
.if n 2**56
|
||
|
to
|
||
|
.if t 2\u\s-348\s0\d
|
||
|
.if n 2**48
|
||
|
keys.
|
||
|
To prevent this, the high-order bit must be a function depending in part
|
||
|
upon the low-order bit; so, the high-order bit is set to whatever value
|
||
|
gives odd parity.
|
||
|
This preserves the key space size.
|
||
|
Note this resetting of the parity bit is
|
||
|
.Em not
|
||
|
done if the key is given in binary or hex, and can be disabled for ASCII
|
||
|
keys as well.
|
||
|
.Pp
|
||
|
The DES is considered a very strong cryptosystem hobbled by a short
|
||
|
key, and other than table lookup attacks, key search attacks, and
|
||
|
Hellman's time-memory tradeoff (all of which are very expensive and
|
||
|
time-consuming), no practical cryptanalytic methods for breaking the
|
||
|
DES are known in the open literature.
|
||
|
As of this writing, the best
|
||
|
known cryptanalytic method is linear cryptanalysis, which requires an
|
||
|
average of
|
||
|
.if t 2\u\s-343\s0\d
|
||
|
.if n 2**43
|
||
|
known plaintext-ciphertext pairs to succeed.
|
||
|
Unfortunately for the DES, key search attacks (requiring only
|
||
|
a single known plaintext-ciphertext pair and trying
|
||
|
.if t 2\u\s-355\s0\d
|
||
|
.if n 2**55
|
||
|
keys on average) are becoming practical.
|
||
|
.Pp
|
||
|
As with all cryptosystems, the choice of keys and
|
||
|
key security remain the most vulnerable aspect of
|
||
|
.Nm .
|
||
|
.Sh IMPLEMENTATION NOTES
|
||
|
For implementors wishing to write software compatible with this program,
|
||
|
the following notes are provided.
|
||
|
This software is believed to be compatible with the implementation of the
|
||
|
data encryption standard distributed by Sun Microsystems, Inc.
|
||
|
.Pp
|
||
|
In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes,
|
||
|
also called a block).
|
||
|
To ensure that the plaintext file is encrypted correctly,
|
||
|
.Nm
|
||
|
will (internally) append from 1 to 8 bytes, the last byte containing an
|
||
|
integer stating how many bytes of that final block are from the plaintext
|
||
|
file, and encrypt the resulting block.
|
||
|
Hence, when decrypting, the last block may contain from 0 to 7 characters
|
||
|
present in the plaintext file, and the last byte tells how many.
|
||
|
Note that if during decryption the last byte of the file does not contain an
|
||
|
integer between 0 and 7, either the file has been corrupted or an incorrect
|
||
|
key has been given.
|
||
|
A similar mechanism is used for the OFB and CFB modes, except that those
|
||
|
simply require the length of the input to be a multiple of the mode size,
|
||
|
and the final byte contains an integer between 0 and one less than the number
|
||
|
of bytes being used as the mode.
|
||
|
(This was another reason that the mode size must be a multiple of 8 for those
|
||
|
modes.)
|
||
|
.Pp
|
||
|
Unlike Sun's implementation, unused bytes of that last block are not filled
|
||
|
with random data, but instead contain what was in those byte positions in
|
||
|
the preceding block.
|
||
|
This is quicker and more portable, and does not weaken the encryption
|
||
|
significantly.
|
||
|
.Pp
|
||
|
If the key is entered in ASCII, the parity bits of the key characters are set
|
||
|
so that each key character is of odd parity.
|
||
|
Unlike Sun's implementation, it is possible to enter binary or hexadecimal
|
||
|
keys on the command line, and if this is done, the parity bits are
|
||
|
.Em not
|
||
|
reset.
|
||
|
This allows testing using arbitrary bit patterns as keys.
|
||
|
.Pp
|
||
|
The Sun implementation always uses an initialization vector of 0
|
||
|
(that is, all zeroes).
|
||
|
By default,
|
||
|
.Nm
|
||
|
does too, but this may be changed from the command line.
|
||
|
.Sh SEE ALSO
|
||
|
.Xr crypt 3 ,
|
||
|
.Xr getpass 3
|
||
|
.Rs
|
||
|
.%T Data Encryption Standard
|
||
|
.%R Federal Information Processing Standard #46
|
||
|
.%Q National Bureau of Standards, U.S. Department of Commerce
|
||
|
.\" should be .%C as soon as it's supported.
|
||
|
.%O Washington DC
|
||
|
.%D January 1977
|
||
|
.Re
|
||
|
.Rs
|
||
|
.%T DES Modes of Operation
|
||
|
.%R Federal Information Processing Standard #81
|
||
|
.%Q National Bureau of Standards, U.S. Department of Commerce
|
||
|
.\" should be .%C as soon as it's supported.
|
||
|
.%O Washington DC
|
||
|
.%D December 1980
|
||
|
.Re
|
||
|
.Rs
|
||
|
.%A Dorothy Denning
|
||
|
.%T Cryptography and Data Security
|
||
|
.%I Addison-Wesley Publishing Co.
|
||
|
.\" should be .%C as soon as it's supported.
|
||
|
.%O Reading, MA
|
||
|
.%D 1982
|
||
|
.Re
|
||
|
.Rs
|
||
|
.%A Matt Bishop
|
||
|
.%T Implementation Notes on bdes(1)
|
||
|
.%R Technical Report PCS-TR-91-158
|
||
|
.%Q Department of Mathematics and Computer Science, Dartmouth College
|
||
|
.\" should be .%C as soon as it's supported.
|
||
|
.%O Hanover, NH 03755
|
||
|
.%D April 1991
|
||
|
.Re
|
||
|
.Rs
|
||
|
.%A M.J. Wiener
|
||
|
.%T Efficient DES Key Search
|
||
|
.%R Technical Report 244
|
||
|
.%Q School of Computer Science, Carleton University
|
||
|
.%D May 1994
|
||
|
.Re
|
||
|
.Rs
|
||
|
.%A Bruce Schneier
|
||
|
.%T Applied Cryptography (2nd edition)
|
||
|
.%I John Wiley \*[Am] Sons, Inc.
|
||
|
.%O New York, NY
|
||
|
.\" should be .%C as soon as it's supported.
|
||
|
.%D 1996
|
||
|
.Re
|
||
|
.Rs
|
||
|
.%A M. Matsui
|
||
|
.%T Linear Cryptanalysis Method for DES Cipher
|
||
|
.%R Advances in Cryptology -- Eurocrypt '93 Proceedings
|
||
|
.%I Springer-Verlag
|
||
|
.%D 1994
|
||
|
.Re
|
||
|
.Rs
|
||
|
.%A Blaze
|
||
|
.%A Diffie
|
||
|
.%A Rivest
|
||
|
.%A Schneier
|
||
|
.%A Shimomura
|
||
|
.%A Thompson
|
||
|
.%A Wiener
|
||
|
.%T Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Security
|
||
|
.%I Business Software Alliance
|
||
|
.%U http://www.bsa.org/policy/encryption/cryptographers.html
|
||
|
.%D January 1996
|
||
|
.Re
|
||
|
.Sh BUGS
|
||
|
When this document was originally written, there was a controversy
|
||
|
raging over whether the DES would still be secure in a few years.
|
||
|
There is now near-universal consensus in the cryptographic community
|
||
|
that the key length of the DES is far too short.
|
||
|
The advent of
|
||
|
special-purpose hardware could reduce the cost of any of the methods
|
||
|
of attack named above so that they are no longer computationally
|
||
|
infeasible; in addition, the explosive growth in the number and speed
|
||
|
of modern microprocessors as well as advances in programmable logic
|
||
|
devices has brought an attack using only commodity hardware into the
|
||
|
realm of possibility.
|
||
|
Schneier and others currently recommend using
|
||
|
cryptosystems with keys of at least 90 bits when long-term security is
|
||
|
needed.
|
||
|
.Pp
|
||
|
As the key or key schedule is stored in memory, the encryption can be
|
||
|
compromised if memory is readable.
|
||
|
Additionally, programs which display programs' arguments may compromise the
|
||
|
key and initialization vector, if they are specified on the command line.
|
||
|
To avoid this
|
||
|
.Nm
|
||
|
overwrites its arguments, however, the obvious race cannot currently be
|
||
|
avoided.
|
||
|
.Pp
|
||
|
Certain specific keys should be avoided because they introduce potential
|
||
|
weaknesses; these keys, called the
|
||
|
.Em weak
|
||
|
and
|
||
|
.Em semiweak
|
||
|
keys, are (in hex notation, where p is either 0 or 1, and P is either
|
||
|
e or f):
|
||
|
.Bd -literal -offset indent
|
||
|
0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P
|
||
|
0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP
|
||
|
0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P
|
||
|
0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP
|
||
|
0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P
|
||
|
0xepepepepepepepep 0xepfPepfPfpfPfpfP
|
||
|
0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P
|
||
|
0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP
|
||
|
.Ed
|
||
|
.Pp
|
||
|
This is inherent in the DES algorithm (see Moore and Simmons,
|
||
|
.Do
|
||
|
Cycle structure of the DES with weak and semi-weak keys
|
||
|
.Dc ,
|
||
|
.Em "Advances in Cryptology \- Crypto '86 Proceedings" ,
|
||
|
Springer-Verlag New York, \(co1987, pp. 9-32.)
|