1.\" $NetBSD: bdes.1,v 1.14 2010/01/15 19:40:17 joerg Exp $ 2.\" 3.\" Copyright (c) 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" This code is derived from software contributed to Berkeley by 7.\" Matt Bishop of Dartmouth College. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. Neither the name of the University nor the names of its contributors 18.\" may be used to endorse or promote products derived from this software 19.\" without specific prior written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 34.\" 35.Dd December 1, 2001 36.Dt BDES 1 37.Os 38.Sh NAME 39.Nm bdes 40.Nd encrypt/decrypt using the Data Encryption Standard 41.Sh SYNOPSIS 42.Nm 43.Op Fl abdp 44.Op Fl F Ar N 45.Op Fl f Ar N 46.Op Fl k Ar key 47.Op Fl m Ar N 48.Op Fl o Ar N 49.Op Fl v Ar vector 50.Sh DESCRIPTION 51.Nm 52implements all DES modes of operation described in FIPS PUB 81, 53including alternative cipher feedback mode and both authentication 54modes. 55.Nm 56reads from the standard input and writes to the standard output. 57By default, the input is encrypted using cipher block chaining mode. 58Using the same key for encryption and decryption preserves plain text. 59.Pp 60All modes but the electronic code book mode require an initialization 61vector; if none is supplied, the zero vector is used. 62If no 63.Ar key 64is specified on the command line, the user is prompted for one (see 65.Xr getpass 3 66for more details). 67.Pp 68The options are as follows: 69.Bl -tag -width "-v vector" -compact 70.It Fl a 71The key and initialization vector strings are to be taken as ASCII, 72suppressing the special interpretation given to leading 73.Dq 0X , 74.Dq 0x , 75.Dq 0B , 76and 77.Dq 0b 78characters. 79This flag applies to 80.Em both 81the key and initialization vector. 82.It Fl b 83Use electronic code book mode. 84This is not recommended for messages 85longer than 8 bytes, as patterns in the input will show through to the 86output. 87.It Fl d 88Decrypt the input. 89.It Fl F Ar N 90Use 91.Ar N Ns -bit 92alternative cipher feedback mode. 93Currently 94.Ar N 95must be a multiple of 7 between 7 and 56 inclusive (this does not conform 96to the alternative CFB mode specification). 97.It Fl f Ar N 98Use 99.Ar N Ns -bit 100cipher feedback mode. 101Currently 102.Ar N 103must be a multiple of 8 between 8 and 64 inclusive (this does not conform 104to the standard CFB mode specification). 105.It Fl k Ar key 106Use 107.Ar key 108as the cryptographic key. 109.It Fl m Ar N 110Compute a message authentication code (MAC) of 111.Ar N 112bits on the input. 113The value of 114.Ar N 115must be between 1 and 64 inclusive; if 116.Ar N 117is not a multiple of 8, enough 0 bits will be added to pad the MAC length 118to the nearest multiple of 8. 119Only the MAC is output. 120MACs are only available in cipher block chaining mode or in cipher feedback 121mode. 122.It Fl o Ar N 123Use 124.Ar N Ns -bit 125output feedback mode. 126Currently 127.Ar N 128must be a multiple of 8 between 8 and 64 inclusive (this does not conform 129to the OFB mode specification). 130.It Fl p 131Disable the resetting of the parity bit. 132This flag forces the parity bit of the key to be used as typed, rather than 133making each character be of odd parity. 134It is used only if the key is given in ASCII. 135.It Fl v Ar vector 136Set the initialization vector to 137.Ar vector ; 138the vector is interpreted in the same way as the key. 139The vector is ignored in electronic codebook mode. 140For best security, a different 141initialization vector should be used for each file. 142.El 143.Pp 144The key and initialization vector are taken as sequences of ASCII 145characters which are then mapped into their bit representations. 146If either begins with 147.Dq 0X 148or 149.Dq 0x , 150that one is taken as a sequence of hexadecimal digits indicating the 151bit pattern; 152if either begins with 153.Dq 0B 154or 155.Dq 0b , 156that one is taken as a sequence of binary digits indicating the bit pattern. 157In either case, 158only the leading 64 bits of the key or initialization vector 159are used, 160and if fewer than 64 bits are provided, enough 0 bits are appended 161to pad the key to 64 bits. 162.Pp 163According to the DES standard, the low-order bit of each character in the 164key string is deleted. 165Since most ASCII representations set the high-order bit to 0, simply 166deleting the low-order bit effectively reduces the size of the key space 167from 168.if t 2\u\s-356\s0\d 169.if n 2**56 170to 171.if t 2\u\s-348\s0\d 172.if n 2**48 173keys. 174To prevent this, the high-order bit must be a function depending in part 175upon the low-order bit; so, the high-order bit is set to whatever value 176gives odd parity. 177This preserves the key space size. 178Note this resetting of the parity bit is 179.Em not 180done if the key is given in binary or hex, and can be disabled for ASCII 181keys as well. 182.Pp 183The DES is considered a very strong cryptosystem hobbled by a short 184key, and other than table lookup attacks, key search attacks, and 185Hellman's time-memory tradeoff (all of which are very expensive and 186time-consuming), no practical cryptanalytic methods for breaking the 187DES are known in the open literature. 188As of this writing, the best 189known cryptanalytic method is linear cryptanalysis, which requires an 190average of 191.if t 2\u\s-343\s0\d 192.if n 2**43 193known plaintext-ciphertext pairs to succeed. 194Unfortunately for the DES, key search attacks (requiring only 195a single known plaintext-ciphertext pair and trying 196.if t 2\u\s-355\s0\d 197.if n 2**55 198keys on average) are becoming practical. 199.Pp 200As with all cryptosystems, the choice of keys and 201key security remain the most vulnerable aspect of 202.Nm . 203.Sh IMPLEMENTATION NOTES 204For implementors wishing to write software compatible with this program, 205the following notes are provided. 206This software is believed to be compatible with the implementation of the 207data encryption standard distributed by Sun Microsystems, Inc. 208.Pp 209In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, 210also called a block). 211To ensure that the plaintext file is encrypted correctly, 212.Nm 213will (internally) append from 1 to 8 bytes, the last byte containing an 214integer stating how many bytes of that final block are from the plaintext 215file, and encrypt the resulting block. 216Hence, when decrypting, the last block may contain from 0 to 7 characters 217present in the plaintext file, and the last byte tells how many. 218Note that if during decryption the last byte of the file does not contain an 219integer between 0 and 7, either the file has been corrupted or an incorrect 220key has been given. 221A similar mechanism is used for the OFB and CFB modes, except that those 222simply require the length of the input to be a multiple of the mode size, 223and the final byte contains an integer between 0 and one less than the number 224of bytes being used as the mode. 225(This was another reason that the mode size must be a multiple of 8 for those 226modes.) 227.Pp 228Unlike Sun's implementation, unused bytes of that last block are not filled 229with random data, but instead contain what was in those byte positions in 230the preceding block. 231This is quicker and more portable, and does not weaken the encryption 232significantly. 233.Pp 234If the key is entered in ASCII, the parity bits of the key characters are set 235so that each key character is of odd parity. 236Unlike Sun's implementation, it is possible to enter binary or hexadecimal 237keys on the command line, and if this is done, the parity bits are 238.Em not 239reset. 240This allows testing using arbitrary bit patterns as keys. 241.Pp 242The Sun implementation always uses an initialization vector of 0 243(that is, all zeroes). 244By default, 245.Nm 246does too, but this may be changed from the command line. 247.Sh SEE ALSO 248.Xr crypt 3 , 249.Xr getpass 3 250.Rs 251.%T Data Encryption Standard 252.%R Federal Information Processing Standard #46 253.%Q National Bureau of Standards, U.S. Department of Commerce 254.\" should be .%C as soon as it's supported. 255.%O Washington DC 256.%D January 1977 257.Re 258.Rs 259.%T DES Modes of Operation 260.%R Federal Information Processing Standard #81 261.%Q National Bureau of Standards, U.S. Department of Commerce 262.\" should be .%C as soon as it's supported. 263.%O Washington DC 264.%D December 1980 265.Re 266.Rs 267.%A Dorothy Denning 268.%T Cryptography and Data Security 269.%I Addison-Wesley Publishing Co. 270.\" should be .%C as soon as it's supported. 271.%O Reading, MA 272.%D 1982 273.Re 274.Rs 275.%A Matt Bishop 276.%T Implementation Notes on bdes(1) 277.%R Technical Report PCS-TR-91-158 278.%Q Department of Mathematics and Computer Science, Dartmouth College 279.\" should be .%C as soon as it's supported. 280.%O Hanover, NH 03755 281.%D April 1991 282.Re 283.Rs 284.%A M.J. Wiener 285.%T Efficient DES Key Search 286.%R Technical Report 244 287.%Q School of Computer Science, Carleton University 288.%D May 1994 289.Re 290.Rs 291.%A Bruce Schneier 292.%T Applied Cryptography (2nd edition) 293.%I John Wiley \*[Am] Sons, Inc. 294.%O New York, NY 295.\" should be .%C as soon as it's supported. 296.%D 1996 297.Re 298.Rs 299.%A M. Matsui 300.%T Linear Cryptanalysis Method for DES Cipher 301.%R Advances in Cryptology -- Eurocrypt '93 Proceedings 302.%I Springer-Verlag 303.%D 1994 304.Re 305.Rs 306.%A Blaze 307.%A Diffie 308.%A Rivest 309.%A Schneier 310.%A Shimomura 311.%A Thompson 312.%A Wiener 313.%T Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Security 314.%I Business Software Alliance 315.%U http://www.bsa.org/policy/encryption/cryptographers.html 316.%D January 1996 317.Re 318.Sh BUGS 319When this document was originally written, there was a controversy 320raging over whether the DES would still be secure in a few years. 321There is now near-universal consensus in the cryptographic community 322that the key length of the DES is far too short. 323The advent of 324special-purpose hardware could reduce the cost of any of the methods 325of attack named above so that they are no longer computationally 326infeasible; in addition, the explosive growth in the number and speed 327of modern microprocessors as well as advances in programmable logic 328devices has brought an attack using only commodity hardware into the 329realm of possibility. 330Schneier and others currently recommend using 331cryptosystems with keys of at least 90 bits when long-term security is 332needed. 333.Pp 334As the key or key schedule is stored in memory, the encryption can be 335compromised if memory is readable. 336Additionally, programs which display programs' arguments may compromise the 337key and initialization vector, if they are specified on the command line. 338To avoid this 339.Nm 340overwrites its arguments, however, the obvious race cannot currently be 341avoided. 342.Pp 343Certain specific keys should be avoided because they introduce potential 344weaknesses; these keys, called the 345.Em weak 346and 347.Em semiweak 348keys, are (in hex notation, where p is either 0 or 1, and P is either 349e or f): 350.Bd -literal -offset indent 3510x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P 3520x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP 3530x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P 3540x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP 3550xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P 3560xepepepepepepepep 0xepfPepfPfpfPfpfP 3570xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P 3580xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP 359.Ed 360.Pp 361This is inherent in the DES algorithm (see Moore and Simmons, 362.Do 363Cycle structure of the DES with weak and semi-weak keys 364.Dc , 365.Em "Advances in Cryptology \- Crypto '86 Proceedings" , 366Springer-Verlag New York, \(co1987, pp. 9-32.) 367