summaryrefslogtreecommitdiffstats
path: root/secure/usr.bin/bdes/bdes.1
diff options
context:
space:
mode:
Diffstat (limited to 'secure/usr.bin/bdes/bdes.1')
-rw-r--r--secure/usr.bin/bdes/bdes.1243
1 files changed, 159 insertions, 84 deletions
diff --git a/secure/usr.bin/bdes/bdes.1 b/secure/usr.bin/bdes/bdes.1
index becf75f..367d32d 100644
--- a/secure/usr.bin/bdes/bdes.1
+++ b/secure/usr.bin/bdes/bdes.1
@@ -40,7 +40,7 @@
.Os
.Sh NAME
.Nm bdes
-.Nd "encrypt/decrypt using the Data Encryption Standard"
+.Nd "encrypt/decrypt using the Data Encryption Standard (DES)"
.Sh SYNOPSIS
.Nm
.Op Fl abdp
@@ -61,22 +61,31 @@ including alternative cipher feedback mode and both authentication
modes.
The
.Nm
-utility reads from the standard input and writes to the standard output.
-By default, the input is encrypted using cipher block chaining mode.
-Using the same key for encryption and decryption preserves plain text.
+utility reads from the standard input
+and writes to the standard output.
+By default,
+the input is encrypted
+using cipher block chaining (CBC) mode.
+Using the same key
+for encryption and decryption
+preserves plain text.
.Pp
-All modes but the electronic code book mode require an initialization
-vector; if none is supplied, the zero vector is used.
+All modes but the electronic code book (ECB) mode
+require an initialization vector;
+if none is supplied,
+the zero vector is used.
If no
.Ar key
-is specified on the command line, the user is prompted for one (see
+is specified on the command line,
+the user is prompted for one (see
.Xr getpass 3
for more details).
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl a
-The key and initialization vector strings are to be taken as
+The key and initialization vector strings
+are to be taken as
.Tn ASCII ,
suppressing the special interpretation given to leading
.Dq Li 0X ,
@@ -89,21 +98,22 @@ This flag applies to
.Em both
the key and initialization vector.
.It Fl b
-Use electronic code book mode.
+Use ECB mode.
.It Fl d
Decrypt the input.
.It Fl F Ar N
Use
.Ar N Ns \-bit
-alternative cipher feedback mode.
+alternative CFB mode.
Currently
.Ar N
-must be a multiple of 7 between 7 and 56 inclusive (this does not conform
-to the alternative CFB mode specification).
+must be a multiple of 7
+between 7 and 56 inclusive
+(this does not conform to the alternative CFB mode specification).
.It Fl f Ar N
Use
.Ar N Ns \-bit
-cipher feedback mode.
+CFB mode.
Currently
.Ar N
must be a multiple of 8 between 8 and 64 inclusive (this does not conform
@@ -120,130 +130,182 @@ The value of
.Ar N
must be between 1 and 64 inclusive; if
.Ar N
-is not a multiple of 8, enough 0 bits will be added to pad the MAC length
+is not a multiple of 8,
+enough 0 bits will be added
+to pad the MAC length
to the nearest multiple of 8.
Only the MAC is output.
-MACs are only available in cipher block chaining mode or in cipher feedback
-mode.
+MACs are only available
+in CBC mode
+or in CFB mode.
.It Fl o Ar N
Use
.Ar N Ns \-bit
-output feedback mode.
+ouput feedback (OFB) mode.
Currently
.Ar N
must be a multiple of 8 between 8 and 64 inclusive (this does not conform
to the OFB mode specification).
.It Fl p
Disable the resetting of the parity bit.
-This flag forces the parity bit of the key to be used as typed, rather than
-making each character be of odd parity.
+This flag forces
+the parity bit of the key
+to be used as typed,
+rather than making
+each character be of odd parity.
It is used only if the key is given in
.Tn ASCII .
.It Fl v Ar vector
Set the initialization vector to
.Ar vector ;
the vector is interpreted in the same way as the key.
-The vector is ignored in electronic codebook mode.
+The vector is ignored in ECB mode.
.El
.Pp
-The key and initialization vector are taken as sequences of
+The key and initialization vector
+are taken as sequences of
.Tn ASCII
-characters which are then mapped into their bit representations.
+characters which are then mapped
+into their bit representations.
If either begins with
.Dq Li 0X
or
.Dq Li 0x ,
-that one is taken as a sequence of hexadecimal digits indicating the
-bit pattern;
+that one is taken
+as a sequence of hexadecimal digits
+indicating the bit pattern;
if either begins with
.Dq Li 0B
or
.Dq Li 0b ,
-that one is taken as a sequence of binary digits indicating the bit pattern.
+that one is taken
+as a sequence of binary digits
+indicating the bit pattern.
In either case,
-only the leading 64 bits of the key or initialization vector
+only the leading 64 bits
+of the key or initialization vector
are used,
-and if fewer than 64 bits are provided, enough 0 bits are appended
+and if fewer than 64 bits are provided,
+enough 0 bits are appended
to pad the key to 64 bits.
.Pp
According to the
.Tn DES
-standard, the low-order bit of each character in the
-key string is deleted.
+standard,
+the low-order bit of each character
+in the key string is deleted.
Since most
.Tn ASCII
-representations set the high-order bit to 0, simply
-deleting the low-order bit effectively reduces the size of the key space
+representations
+set the high-order bit to 0,
+simply deleting the low-order bit
+effectively reduces the size of the key space
from 2^56 to 2^48 keys.
-To prevent this, the high-order bit must be a function depending in part
-upon the low-order bit; so, the high-order bit is set to whatever value
-gives odd parity.
+To prevent this,
+the high-order bit must be a function
+depending in part upon the low-order bit;
+so,
+the high-order bit is set
+to whatever value gives odd parity.
This preserves the key space size.
Note this resetting of the parity bit is
.Em not
-done if the key is given in binary or hex, and can be disabled for
+done if the key
+is given in binary or hex,
+and can be disabled for
.Tn ASCII
keys as well.
.Pp
The
.Tn DES
-is considered a very strong cryptosystem, and other than table lookup
-attacks, key search attacks, and Hellman's time-memory tradeoff (all of which
-are very expensive and time-consuming), no cryptanalytic methods for breaking
-the
+is considered a very strong cryptosystem,
+and other than table lookup attacks,
+key search attacks,
+and Hellman's time-memory tradeoff
+(all of which are very expensive and time-consuming),
+no cryptanalytic methods
+for breaking the
.Tn DES
are known in the open literature.
-No doubt the choice of keys and key security are the most vulnerable aspect
-of
+No doubt the choice of keys
+and key security
+are the most vulnerable aspect of
.Nm .
.Sh IMPLEMENTATION NOTES
-For implementors wishing to write software compatible with this program,
+For implementors wishing to write
+software compatible with this program,
the following notes are provided.
-This software is believed to be compatible with the implementation of the
-data encryption standard distributed by Sun Microsystems, Inc.
+This software is believed
+to be compatible with the implementation
+of the data encryption standard
+distributed by Sun Microsystems, Inc.
.Pp
-In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes,
-also called a block).
-To ensure that the plaintext file is encrypted correctly,
+In the ECB and CBC modes,
+plaintext is encrypted in units of 64 bits
+(8 bytes, also called a block).
+To ensure that the plaintext file
+is encrypted correctly,
.Nm
-will (internally) append from 1 to 8 bytes, the last byte containing an
-integer stating how many bytes of that final block are from the plaintext
-file, and encrypt the resulting block.
-Hence, when decrypting, the last block may contain from 0 to 7 characters
-present in the plaintext file, and the last byte tells how many.
-Note that if during decryption the last byte of the file does not contain an
-integer between 0 and 7, either the file has been corrupted or an incorrect
-key has been given.
-A similar mechanism is used for the OFB and CFB modes, except that those
-simply require the length of the input to be a multiple of the mode size,
-and the final byte contains an integer between 0 and one less than the number
+will (internally) append from 1 to 8 bytes,
+the last byte containing an integer
+stating how many bytes of that final block
+are from the plaintext file,
+and encrypt the resulting block.
+Hence,
+when decrypting,
+the last block may contain from 0 to 7 characters
+present in the plaintext file,
+and the last byte tells how many.
+Note that if during decryption
+the last byte of the file
+does not contain an integer between 0 and 7,
+either the file has been corrupted
+or an incorrect key has been given.
+A similar mechanism is used
+for the OFB and CFB modes,
+except that those
+simply require the length of the input
+to be a multiple of the mode size,
+and the final byte contains an integer
+between 0 and one less than the number
of bytes being used as the mode.
-(This was another reason that the mode size must be a multiple of 8 for those
-modes.)
+(This was another reason
+that the mode size must be
+a multiple of 8 for those modes.)
.Pp
-Unlike Sun's implementation, unused bytes of that last block are not filled
-with random data, but instead contain what was in those byte positions in
-the preceding block.
-This is quicker and more portable, and does not weaken the encryption
-significantly.
+Unlike Sun's implementation,
+unused bytes of that last block
+are not filled with random data,
+but instead contain
+what was in those byte positions
+in the preceding block.
+This is quicker and more portable,
+and does not weaken the encryption significantly.
.Pp
If the key is entered in
.Tn ASCII ,
-the parity bits of the key characters are set
-so that each key character is of odd parity.
-Unlike Sun's implementation, it is possible to enter binary or hexadecimal
-keys on the command line, and if this is done, the parity bits are
+the parity bits of the key characters
+are set so that each key character
+is of odd parity.
+Unlike Sun's implementation,
+it is possible to enter binary or hexadecimal
+keys on the command line,
+and if this is done,
+the parity bits are
.Em not
reset.
-This allows testing using arbitrary bit patterns as keys.
+This allows testing
+using arbitrary bit patterns as keys.
.Pp
-The Sun implementation always uses an initialization vector of 0
+The Sun implementation
+always uses an initialization vector of 0
(that is, all zeroes).
By default,
.Nm
-does too, but this may be changed from the command line.
+does too,
+but this may be changed
+from the command line.
.Sh SEE ALSO
-.Xr crypt 3 ,
.Xr getpass 3
.Rs
.%T "Data Encryption Standard"
@@ -289,21 +351,33 @@ There is a controversy raging over whether the
.Tn DES
will still be secure
in a few years.
-The advent of special-purpose hardware could reduce the cost of any of the
-methods of attack named above so that they are no longer computationally
-infeasible.
+The advent of special-purpose hardware
+could reduce the cost of any of the
+methods of attack named above
+so that they are no longer
+computationally infeasible.
.Pp
-As the key or key schedule is stored in memory, the encryption can be
+As the key or key schedule
+is stored in memory,
+the encryption can be
compromised if memory is readable.
-Additionally, programs which display programs' arguments may compromise the
-key and initialization vector, if they are specified on the command line.
+Additionally,
+programs which display programs' arguments
+may compromise the key and initialization vector,
+if they are specified on the command line.
To avoid this
.Nm
-overwrites its arguments, however, the obvious race cannot currently be
-avoided.
+overwrites its arguments,
+however,
+the obvious race
+cannot currently be avoided.
.Pp
-Certain specific keys should be avoided because they introduce potential
-weaknesses; these keys, called the
+Certain specific keys
+should be avoided
+because they introduce
+potential weaknesses;
+these keys,
+called the
.Em weak
and
.Em semiweak
@@ -328,7 +402,8 @@ or
.Pp
This is inherent in the
.Tn DES
-algorithm; see
+algorithm;
+see
.Rs
.%A Moore
.%A Simmons
OpenPOWER on IntegriCloud