1.\" Copyright (c) 1991, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" This code is derived from software contributed to Berkeley by 5.\" Matt Bishop of Dartmouth College. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 1. Redistributions of source code must retain the above copyright 11.\" notice, this list of conditions and the following disclaimer. 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 3. Neither the name of the University nor the names of its contributors 16.\" may be used to endorse or promote products derived from this software 17.\" without specific prior written permission. 18.\" 19.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29.\" SUCH DAMAGE. 30.\" 31.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 32.\" $FreeBSD: src/secure/usr.bin/bdes/bdes.1,v 1.7 2003/06/02 19:10:59 markm Exp $ 33.\" 34.Dd July 20, 2010 35.Dt BDES 1 36.Os 37.Sh NAME 38.Nm bdes 39.Nd "encrypt/decrypt using the Data Encryption Standard (DES)" 40.Sh SYNOPSIS 41.Nm 42.Op Fl abdp 43.Op Fl F Ar N 44.Op Fl f Ar N 45.Op Fl k Ar key 46.Op Fl m Ar N 47.Op Fl o Ar N 48.Op Fl v Ar vector 49.Sh DESCRIPTION 50The 51.Nm 52utility implements all 53.Tn DES 54modes of operation described in 55.%T "FIPS PUB 81" , 56including alternative cipher feedback mode and both authentication 57modes. 58The 59.Nm 60utility reads from the standard input 61and writes to the standard output. 62By default, 63the input is encrypted 64using cipher block chaining (CBC) mode. 65Using the same key 66for encryption and decryption 67preserves plain text. 68.Pp 69All modes but the electronic code book (ECB) mode 70require an initialization vector; 71if none is supplied, 72the zero vector is used. 73If no 74.Ar key 75is specified on the command line, 76the user is prompted for one (see 77.Xr getpass 3 78for more details). 79.Pp 80The options are as follows: 81.Bl -tag -width indent 82.It Fl a 83The key and initialization vector strings 84are to be taken as 85.Tn ASCII , 86suppressing the special interpretation given to leading 87.Dq Li 0X , 88.Dq Li 0x , 89.Dq Li 0B , 90and 91.Dq Li 0b 92characters. 93This flag applies to 94.Em both 95the key and initialization vector. 96.It Fl b 97Use ECB mode. 98.It Fl d 99Decrypt the input. 100.It Fl F Ar N 101Use 102.Ar N Ns \-bit 103alternative CFB mode. 104Currently 105.Ar N 106must be a multiple of 7 107between 7 and 56 inclusive 108(this does not conform to the alternative CFB mode specification). 109.It Fl f Ar N 110Use 111.Ar N Ns \-bit 112CFB mode. 113Currently 114.Ar N 115must be a multiple of 8 between 8 and 64 inclusive (this does not conform 116to the standard CFB mode specification). 117.It Fl k Ar key 118Use 119.Ar key 120as the cryptographic key. 121.It Fl m Ar N 122Compute a message authentication code (MAC) of 123.Ar N 124bits on the input. 125The value of 126.Ar N 127must be between 1 and 64 inclusive; if 128.Ar N 129is not a multiple of 8, 130enough 0 bits will be added 131to pad the MAC length 132to the nearest multiple of 8. 133Only the MAC is output. 134MACs are only available 135in CBC mode 136or in CFB mode. 137.It Fl o Ar N 138Use 139.Ar N Ns \-bit 140output feedback (OFB) mode. 141Currently 142.Ar N 143must be a multiple of 8 between 8 and 64 inclusive (this does not conform 144to the OFB mode specification). 145.It Fl p 146Disable the resetting of the parity bit. 147This flag forces 148the parity bit of the key 149to be used as typed, 150rather than making 151each character be of odd parity. 152It is used only if the key is given in 153.Tn ASCII . 154.It Fl v Ar vector 155Set the initialization vector to 156.Ar vector ; 157the vector is interpreted in the same way as the key. 158The vector is ignored in ECB mode. 159.El 160.Pp 161The key and initialization vector 162are taken as sequences of 163.Tn ASCII 164characters which are then mapped 165into their bit representations. 166If either begins with 167.Dq Li 0X 168or 169.Dq Li 0x , 170that one is taken 171as a sequence of hexadecimal digits 172indicating the bit pattern; 173if either begins with 174.Dq Li 0B 175or 176.Dq Li 0b , 177that one is taken 178as a sequence of binary digits 179indicating the bit pattern. 180In either case, 181only the leading 64 bits 182of the key or initialization vector 183are used, 184and if fewer than 64 bits are provided, 185enough 0 bits are appended 186to pad the key to 64 bits. 187.Pp 188According to the 189.Tn DES 190standard, 191the low-order bit of each character 192in the key string is deleted. 193Since most 194.Tn ASCII 195representations 196set the high-order bit to 0, 197simply deleting the low-order bit 198effectively reduces the size of the key space 199from 2^56 to 2^48 keys. 200To prevent this, 201the high-order bit must be a function 202depending in part upon the low-order bit; 203so, 204the high-order bit is set 205to whatever value gives odd parity. 206This preserves the key space size. 207Note this resetting of the parity bit is 208.Em not 209done if the key 210is given in binary or hex, 211and can be disabled for 212.Tn ASCII 213keys as well. 214.Pp 215The 216.Tn DES 217is considered a very strong cryptosystem, 218and other than table lookup attacks, 219key search attacks, 220and Hellman's time-memory tradeoff 221(all of which are very expensive and time-consuming), 222no cryptanalytic methods 223for breaking the 224.Tn DES 225are known in the open literature. 226No doubt the choice of keys 227and key security 228are the most vulnerable aspect of 229.Nm . 230.Sh IMPLEMENTATION NOTES 231For implementors wishing to write 232software compatible with this program, 233the following notes are provided. 234This software is believed 235to be compatible with the implementation 236of the data encryption standard 237distributed by Sun Microsystems, Inc. 238.Pp 239In the ECB and CBC modes, 240plaintext is encrypted in units of 64 bits 241(8 bytes, also called a block). 242To ensure that the plaintext file 243is encrypted correctly, 244.Nm 245will (internally) append from 1 to 8 bytes, 246the last byte containing an integer 247stating how many bytes of that final block 248are from the plaintext file, 249and encrypt the resulting block. 250Hence, 251when decrypting, 252the last block may contain from 0 to 7 characters 253present in the plaintext file, 254and the last byte tells how many. 255Note that if during decryption 256the last byte of the file 257does not contain an integer between 0 and 7, 258either the file has been corrupted 259or an incorrect key has been given. 260A similar mechanism is used 261for the OFB and CFB modes, 262except that those 263simply require the length of the input 264to be a multiple of the mode size, 265and the final byte contains an integer 266between 0 and one less than the number 267of bytes being used as the mode. 268(This was another reason 269that the mode size must be 270a multiple of 8 for those modes.) 271.Pp 272Unlike Sun's implementation, 273unused bytes of that last block 274are not filled with random data, 275but instead contain 276what was in those byte positions 277in the preceding block. 278This is quicker and more portable, 279and does not weaken the encryption significantly. 280.Pp 281If the key is entered in 282.Tn ASCII , 283the parity bits of the key characters 284are set so that each key character 285is of odd parity. 286Unlike Sun's implementation, 287it is possible to enter binary or hexadecimal 288keys on the command line, 289and if this is done, 290the parity bits are 291.Em not 292reset. 293This allows testing 294using arbitrary bit patterns as keys. 295.Pp 296The Sun implementation 297always uses an initialization vector of 0 298(that is, all zeroes). 299By default, 300.Nm 301does too, 302but this may be changed 303from the command line. 304.Sh SEE ALSO 305.Xr getpass 3 306.Rs 307.%T "Data Encryption Standard" 308.%R "Federal Information Processing Standard #46" 309.%Q "National Bureau of Standards, U.S. Department of Commerce, Washington DC" 310.%D "January 1977" 311.Re 312.Rs 313.%T "DES Modes of Operation" 314.%R "Federal Information Processing Standard #81" 315.%Q "National Bureau of Standards, U.S. Department of Commerce, Washington DC" 316.%D "December 1980" 317.Re 318.Rs 319.%A "Dorothy Denning" 320.%B "Cryptography and Data Security" 321.%Q "Addison-Wesley Publishing Co., Reading, MA" 322.%D 1982 323.Re 324.Rs 325.%A "Matt Bishop" 326.%T "Implementation Notes on bdes(1)" 327.%R "Technical Report PCS-TR-91-158" 328.%Q "Department of Mathematics and Computer Science, Dartmouth College, Hanover, NH 03755" 329.%D "April 1991" 330.Re 331.Sh DISCLAIMER 332.Bd -literal 333THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 334ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 335IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 336ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 337FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 338DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 339OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 340HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 341LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 342OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 343SUCH DAMAGE. 344.Ed 345.Sh BUGS 346There is a controversy raging over whether the 347.Tn DES 348will still be secure 349in a few years. 350The advent of special-purpose hardware 351could reduce the cost of any of the 352methods of attack named above 353so that they are no longer 354computationally infeasible. 355.Pp 356As the key or key schedule 357is stored in memory, 358the encryption can be 359compromised if memory is readable. 360Additionally, 361programs which display programs' arguments 362may compromise the key and initialization vector, 363if they are specified on the command line. 364To avoid this 365.Nm 366overwrites its arguments, 367however, 368the obvious race 369cannot currently be avoided. 370.Pp 371Certain specific keys 372should be avoided 373because they introduce 374potential weaknesses; 375these keys, 376called the 377.Em weak 378and 379.Em semiweak 380keys, are (in hex notation, where 381.Ar p 382is either 0 or 1, and 383.Ar P 384is either 385.Ql e 386or 387.Ql f ) : 388.Bl -column "0x0p0p0p0p0p0p0p0p" -offset indent 389.It "0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P" 390.It "0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP" 391.It "0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P" 392.It "0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP" 393.It "0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P" 394.It "0xepepepepepepepep 0xepfPepfPfpfPfpfP" 395.It "0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P" 396.It "0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP" 397.El 398.Pp 399This is inherent in the 400.Tn DES 401algorithm; 402see 403.Rs 404.%A Moore 405.%A Simmons 406.%T "Cycle structure of the DES with weak and semi-weak keys" 407.%B "Advances in Cryptology \- Crypto '86 Proceedings" 408.%Q "Springer-Verlag New York" 409.%D 1987 410.%P "pp. 9-32" 411.Re 412