1.\" $NetBSD: bdes.1,v 1.8 2002/02/08 01:36:19 ross Exp $ 2.\" 3.\" Copyright (c) 1991, 1993 4.\" The Regents of the University of California. All rights reserved. 5.\" 6.\" This code is derived from software contributed to Berkeley by 7.\" Matt Bishop of Dartmouth College. 8.\" 9.\" Redistribution and use in source and binary forms, with or without 10.\" modification, are permitted provided that the following conditions 11.\" are met: 12.\" 1. Redistributions of source code must retain the above copyright 13.\" notice, this list of conditions and the following disclaimer. 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 3. All advertising materials mentioning features or use of this software 18.\" must display the following acknowledgement: 19.\" This product includes software developed by the University of 20.\" California, Berkeley and its contributors. 21.\" 4. Neither the name of the University nor the names of its contributors 22.\" may be used to endorse or promote products derived from this software 23.\" without specific prior written permission. 24.\" 25.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35.\" SUCH DAMAGE. 36.\" 37.\" @(#)bdes.1 8.1 (Berkeley) 6/29/93 38.\" 39.Dd December 1, 2001 40.Dt BDES 1 41.Os 42.Sh NAME 43.Nm bdes 44.Nd encrypt/decrypt using the Data Encryption Standard 45.Sh SYNOPSIS 46.Nm 47.Op Fl abdp 48.Op Fl F Ar N 49.Op Fl f Ar N 50.Op Fl k Ar key 51.Op Fl m Ar N 52.Op Fl o Ar N 53.Op Fl v Ar vector 54.Sh DESCRIPTION 55.Nm 56implements all DES modes of operation described in FIPS PUB 81, 57including alternative cipher feedback mode and both authentication 58modes. 59.Nm 60reads from the standard input and writes to the standard output. 61By default, the input is encrypted using cipher block chaining mode. 62Using the same key for encryption and decryption preserves plain text. 63.Pp 64All modes but the electronic code book mode require an initialization 65vector; if none is supplied, the zero vector is used. 66If no 67.Ar key 68is specified on the command line, the user is prompted for one (see 69.Xr getpass 3 70for more details). 71.Pp 72The options are as follows: 73.Bl -tag -width "-v vector" -compact 74.It Fl a 75The key and initialization vector strings are to be taken as ASCII, 76suppressing the special interpretation given to leading 77.Dq 0X , 78.Dq 0x , 79.Dq 0B , 80and 81.Dq 0b 82characters. 83This flag applies to 84.Em both 85the key and initialization vector. 86.It Fl b 87Use electronic code book mode. This is not recommended for messages 88longer than 8 bytes, as patterns in the input will show through to the 89output. 90.It Fl d 91Decrypt the input. 92.It Fl F Ar N 93Use 94.Ar N Ns -bit 95alternative cipher feedback mode. 96Currently 97.Ar N 98must be a multiple of 7 between 7 and 56 inclusive (this does not conform 99to the alternative CFB mode specification). 100.It Fl f Ar N 101Use 102.Ar N Ns -bit 103cipher feedback mode. 104Currently 105.Ar N 106must be a multiple of 8 between 8 and 64 inclusive (this does not conform 107to the standard CFB mode specification). 108.It Fl k Ar key 109Use 110.Ar key 111as the cryptographic key. 112.It Fl m Ar N 113Compute a message authentication code (MAC) of 114.Ar N 115bits on the input. 116The value of 117.Ar N 118must be between 1 and 64 inclusive; if 119.Ar N 120is not a multiple of 8, enough 0 bits will be added to pad the MAC length 121to the nearest multiple of 8. 122Only the MAC is output. 123MACs are only available in cipher block chaining mode or in cipher feedback 124mode. 125.It Fl o Ar N 126Use 127.Ar N Ns -bit 128output feedback mode. 129Currently 130.Ar N 131must be a multiple of 8 between 8 and 64 inclusive (this does not conform 132to the OFB mode specification). 133.It Fl p 134Disable the resetting of the parity bit. 135This flag forces the parity bit of the key to be used as typed, rather than 136making each character be of odd parity. 137It is used only if the key is given in ASCII. 138.It Fl v Ar vector 139Set the initialization vector to 140.Ar vector ; 141the vector is interpreted in the same way as the key. The vector is 142ignored in electronic codebook mode. For best security, a different 143initialization vector should be used for each file. 144.El 145.Pp 146The key and initialization vector are taken as sequences of ASCII 147characters which are then mapped into their bit representations. 148If either begins with 149.Dq 0X 150or 151.Dq 0x , 152that one is taken as a sequence of hexadecimal digits indicating the 153bit pattern; 154if either begins with 155.Dq 0B 156or 157.Dq 0b , 158that one is taken as a sequence of binary digits indicating the bit pattern. 159In either case, 160only the leading 64 bits of the key or initialization vector 161are used, 162and if fewer than 64 bits are provided, enough 0 bits are appended 163to pad the key to 64 bits. 164.Pp 165According to the DES standard, the low-order bit of each character in the 166key string is deleted. 167Since most ASCII representations set the high-order bit to 0, simply 168deleting the low-order bit effectively reduces the size of the key space 169from 170.if t 2\u\s-356\s0\d 171.if n 2**56 172to 173.if t 2\u\s-348\s0\d 174.if n 2**48 175keys. 176To prevent this, the high-order bit must be a function depending in part 177upon the low-order bit; so, the high-order bit is set to whatever value 178gives odd parity. 179This preserves the key space size. 180Note this resetting of the parity bit is 181.Em not 182done if the key is given in binary or hex, and can be disabled for ASCII 183keys as well. 184.Pp 185The DES is considered a very strong cryptosystem hobbled by a short 186key, and other than table lookup attacks, key search attacks, and 187Hellman's time-memory tradeoff (all of which are very expensive and 188time-consuming), no practical cryptanalytic methods for breaking the 189DES are known in the open literature. As of this writing, the best 190known cryptanalytic method is linear cryptanalysis, which requires an 191average of 192.if t 2\u\s-343\s0\d 193.if n 2**43 194known plaintext-ciphertext pairs to succeed. 195Unfortunately for the DES, key search attacks (requiring only 196a single known plaintext-ciphertext pair and trying 197.if t 2\u\s-355\s0\d 198.if n 2**55 199keys on average) are becoming practical. 200.Pp 201As with all cryptosystems, the choice of keys and 202key security remain the most vulnerable aspect of 203.Nm "" . 204.Sh IMPLEMENTATION NOTES 205For implementors wishing to write software compatible with this program, 206the following notes are provided. 207This software is believed to be compatible with the implementation of the 208data encryption standard distributed by Sun Microsystems, Inc. 209.Pp 210In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, 211also called a block). 212To ensure that the plaintext file is encrypted correctly, 213.Nm 214will (internally) append from 1 to 8 bytes, the last byte containing an 215integer stating how many bytes of that final block are from the plaintext 216file, and encrypt the resulting block. 217Hence, when decrypting, the last block may contain from 0 to 7 characters 218present in the plaintext file, and the last byte tells how many. 219Note that if during decryption the last byte of the file does not contain an 220integer between 0 and 7, either the file has been corrupted or an incorrect 221key has been given. 222A similar mechanism is used for the OFB and CFB modes, except that those 223simply require the length of the input to be a multiple of the mode size, 224and the final byte contains an integer between 0 and one less than the number 225of bytes being used as the mode. 226(This was another reason that the mode size must be a multiple of 8 for those 227modes.) 228.Pp 229Unlike Sun's implementation, unused bytes of that last block are not filled 230with random data, but instead contain what was in those byte positions in 231the preceding block. 232This is quicker and more portable, and does not weaken the encryption 233significantly. 234.Pp 235If the key is entered in ASCII, the parity bits of the key characters are set 236so that each key character is of odd parity. 237Unlike Sun's implementation, it is possible to enter binary or hexadecimal 238keys on the command line, and if this is done, the parity bits are 239.Em not 240reset. 241This allows testing using arbitrary bit patterns as keys. 242.Pp 243The Sun implementation always uses an initialization vector of 0 244(that is, all zeroes). 245By default, 246.Nm 247does too, but this may be changed from the command line. 248.Sh SEE ALSO 249.Xr crypt 3 , 250.Xr getpass 3 251.Pp 252.Em "Data Encryption Standard" , 253Federal Information Processing Standard #46, 254National Bureau of Standards, 255U.S. Department of Commerce, 256Washington DC 257(Jan. 1977). 258.Pp 259.Em "DES Modes of Operation" , 260Federal Information Processing Standard #81, 261National Bureau of Standards, 262U.S. Department of Commerce 263Washington DC 264(Dec. 1980). 265.Pp 266Dorothy Denning, 267.Em "Cryptography and Data Security" , 268Addison-Wesley Publishing Co., 269Reading, MA 270\(co1982. 271.Pp 272Matt Bishop, 273.Em "Implementation Notes on bdes(1)" , 274Technical Report PCS-TR-91-158, 275Department of Mathematics and Computer Science, 276Dartmouth College, 277Hanover, NH 03755 278(Apr. 1991). 279.Pp 280M.J. Wiener, 281.Em "Efficient DES Key Search" , 282Technical Report 244, 283School of Computer Science, 284Carleton University 285(May 1994). 286.Pp 287Bruce Schneier, 288.Em "Applied Cryptography (2nd edition)" , 289John Wiley \*[Am] Sons, Inc., 290New York, NY 291\(co1996. 292.Pp 293M. Matsui, 294.Em "Linear Cryptanalysis Method for DES Cipher" , 295Advances in Cryptology -- Eurocrypt '93 Proceedings, 296Springer-Verlag 297\(co1994. 298.Pp 299Blaze, Diffie, Rivest, Schneier, Shimomura, Thompson, and Wiener, 300.Em "Minimal Key Lengths for Symmetric Ciphers To Provide Adequate Commercial Security" , 301Business Software Alliance, 302http://www.bsa.org/policy/encryption/cryptographers.html 303(January 1996). 304.Sh DISCLAIMER 305.Bd -literal 306THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 307ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 308IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 309ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 310FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 311DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 312OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 313HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 314LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 315OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 316SUCH DAMAGE. 317.Ed 318.Sh BUGS 319When this document was originally written, there was a controversy 320raging over whether the DES would still be secure in a few years. 321There is now near-universal consensus in the cryptographic community 322that the key length of the DES is far too short. The advent of 323special-purpose hardware could reduce the cost of any of the methods 324of attack named above so that they are no longer computationally 325infeasible; in addition, the explosive growth in the number and speed 326of modern microprocessors as well as advances in programmable logic 327devices has brought an attack using only commodity hardware into the 328realm of possibility. Schneier and others currently recommend using 329cryptosystems with keys of at least 90 bits when long-term security is 330needed. 331.Pp 332As the key or key schedule is stored in memory, the encryption can be 333compromised if memory is readable. 334Additionally, programs which display programs' arguments may compromise the 335key and initialization vector, if they are specified on the command line. 336To avoid this 337.Nm 338overwrites its arguments, however, the obvious race cannot currently be 339avoided. 340.Pp 341Certain specific keys should be avoided because they introduce potential 342weaknesses; these keys, called the 343.Em weak 344and 345.Em semiweak 346keys, are (in hex notation, where p is either 0 or 1, and P is either 347e or f): 348.Bd -literal -offset indent 3490x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P 3500x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP 3510x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P 3520x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP 3530xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P 3540xepepepepepepepep 0xepfPepfPfpfPfpfP 3550xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P 3560xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP 357.Ed 358.Pp 359This is inherent in the DES algorithm (see Moore and Simmons, 360.Do 361Cycle structure of the DES with weak and semi-weak keys 362.Dc , 363.Em "Advances in Cryptology \- Crypto '86 Proceedings" , 364Springer-Verlag New York, \(co1987, pp. 9-32.) 365