diff options
Diffstat (limited to 'secure/usr.bin/bdes/bdes.1')
-rw-r--r-- | secure/usr.bin/bdes/bdes.1 | 243 |
1 files changed, 159 insertions, 84 deletions
diff --git a/secure/usr.bin/bdes/bdes.1 b/secure/usr.bin/bdes/bdes.1 index becf75f..367d32d 100644 --- a/secure/usr.bin/bdes/bdes.1 +++ b/secure/usr.bin/bdes/bdes.1 @@ -40,7 +40,7 @@ .Os .Sh NAME .Nm bdes -.Nd "encrypt/decrypt using the Data Encryption Standard" +.Nd "encrypt/decrypt using the Data Encryption Standard (DES)" .Sh SYNOPSIS .Nm .Op Fl abdp @@ -61,22 +61,31 @@ including alternative cipher feedback mode and both authentication modes. The .Nm -utility reads from the standard input and writes to the standard output. -By default, the input is encrypted using cipher block chaining mode. -Using the same key for encryption and decryption preserves plain text. +utility reads from the standard input +and writes to the standard output. +By default, +the input is encrypted +using cipher block chaining (CBC) mode. +Using the same key +for encryption and decryption +preserves plain text. .Pp -All modes but the electronic code book mode require an initialization -vector; if none is supplied, the zero vector is used. +All modes but the electronic code book (ECB) mode +require an initialization vector; +if none is supplied, +the zero vector is used. If no .Ar key -is specified on the command line, the user is prompted for one (see +is specified on the command line, +the user is prompted for one (see .Xr getpass 3 for more details). .Pp The options are as follows: .Bl -tag -width indent .It Fl a -The key and initialization vector strings are to be taken as +The key and initialization vector strings +are to be taken as .Tn ASCII , suppressing the special interpretation given to leading .Dq Li 0X , @@ -89,21 +98,22 @@ This flag applies to .Em both the key and initialization vector. .It Fl b -Use electronic code book mode. +Use ECB mode. .It Fl d Decrypt the input. .It Fl F Ar N Use .Ar N Ns \-bit -alternative cipher feedback mode. +alternative CFB mode. Currently .Ar N -must be a multiple of 7 between 7 and 56 inclusive (this does not conform -to the alternative CFB mode specification). +must be a multiple of 7 +between 7 and 56 inclusive +(this does not conform to the alternative CFB mode specification). .It Fl f Ar N Use .Ar N Ns \-bit -cipher feedback mode. +CFB mode. Currently .Ar N must be a multiple of 8 between 8 and 64 inclusive (this does not conform @@ -120,130 +130,182 @@ The value of .Ar N must be between 1 and 64 inclusive; if .Ar N -is not a multiple of 8, enough 0 bits will be added to pad the MAC length +is not a multiple of 8, +enough 0 bits will be added +to pad the MAC length to the nearest multiple of 8. Only the MAC is output. -MACs are only available in cipher block chaining mode or in cipher feedback -mode. +MACs are only available +in CBC mode +or in CFB mode. .It Fl o Ar N Use .Ar N Ns \-bit -output feedback mode. +ouput feedback (OFB) mode. Currently .Ar N must be a multiple of 8 between 8 and 64 inclusive (this does not conform to the OFB mode specification). .It Fl p Disable the resetting of the parity bit. -This flag forces the parity bit of the key to be used as typed, rather than -making each character be of odd parity. +This flag forces +the parity bit of the key +to be used as typed, +rather than making +each character be of odd parity. It is used only if the key is given in .Tn ASCII . .It Fl v Ar vector Set the initialization vector to .Ar vector ; the vector is interpreted in the same way as the key. -The vector is ignored in electronic codebook mode. +The vector is ignored in ECB mode. .El .Pp -The key and initialization vector are taken as sequences of +The key and initialization vector +are taken as sequences of .Tn ASCII -characters which are then mapped into their bit representations. +characters which are then mapped +into their bit representations. If either begins with .Dq Li 0X or .Dq Li 0x , -that one is taken as a sequence of hexadecimal digits indicating the -bit pattern; +that one is taken +as a sequence of hexadecimal digits +indicating the bit pattern; if either begins with .Dq Li 0B or .Dq Li 0b , -that one is taken as a sequence of binary digits indicating the bit pattern. +that one is taken +as a sequence of binary digits +indicating the bit pattern. In either case, -only the leading 64 bits of the key or initialization vector +only the leading 64 bits +of the key or initialization vector are used, -and if fewer than 64 bits are provided, enough 0 bits are appended +and if fewer than 64 bits are provided, +enough 0 bits are appended to pad the key to 64 bits. .Pp According to the .Tn DES -standard, the low-order bit of each character in the -key string is deleted. +standard, +the low-order bit of each character +in the key string is deleted. Since most .Tn ASCII -representations set the high-order bit to 0, simply -deleting the low-order bit effectively reduces the size of the key space +representations +set the high-order bit to 0, +simply deleting the low-order bit +effectively reduces the size of the key space from 2^56 to 2^48 keys. -To prevent this, the high-order bit must be a function depending in part -upon the low-order bit; so, the high-order bit is set to whatever value -gives odd parity. +To prevent this, +the high-order bit must be a function +depending in part upon the low-order bit; +so, +the high-order bit is set +to whatever value gives odd parity. This preserves the key space size. Note this resetting of the parity bit is .Em not -done if the key is given in binary or hex, and can be disabled for +done if the key +is given in binary or hex, +and can be disabled for .Tn ASCII keys as well. .Pp The .Tn DES -is considered a very strong cryptosystem, and other than table lookup -attacks, key search attacks, and Hellman's time-memory tradeoff (all of which -are very expensive and time-consuming), no cryptanalytic methods for breaking -the +is considered a very strong cryptosystem, +and other than table lookup attacks, +key search attacks, +and Hellman's time-memory tradeoff +(all of which are very expensive and time-consuming), +no cryptanalytic methods +for breaking the .Tn DES are known in the open literature. -No doubt the choice of keys and key security are the most vulnerable aspect -of +No doubt the choice of keys +and key security +are the most vulnerable aspect of .Nm . .Sh IMPLEMENTATION NOTES -For implementors wishing to write software compatible with this program, +For implementors wishing to write +software compatible with this program, the following notes are provided. -This software is believed to be compatible with the implementation of the -data encryption standard distributed by Sun Microsystems, Inc. +This software is believed +to be compatible with the implementation +of the data encryption standard +distributed by Sun Microsystems, Inc. .Pp -In the ECB and CBC modes, plaintext is encrypted in units of 64 bits (8 bytes, -also called a block). -To ensure that the plaintext file is encrypted correctly, +In the ECB and CBC modes, +plaintext is encrypted in units of 64 bits +(8 bytes, also called a block). +To ensure that the plaintext file +is encrypted correctly, .Nm -will (internally) append from 1 to 8 bytes, the last byte containing an -integer stating how many bytes of that final block are from the plaintext -file, and encrypt the resulting block. -Hence, when decrypting, the last block may contain from 0 to 7 characters -present in the plaintext file, and the last byte tells how many. -Note that if during decryption the last byte of the file does not contain an -integer between 0 and 7, either the file has been corrupted or an incorrect -key has been given. -A similar mechanism is used for the OFB and CFB modes, except that those -simply require the length of the input to be a multiple of the mode size, -and the final byte contains an integer between 0 and one less than the number +will (internally) append from 1 to 8 bytes, +the last byte containing an integer +stating how many bytes of that final block +are from the plaintext file, +and encrypt the resulting block. +Hence, +when decrypting, +the last block may contain from 0 to 7 characters +present in the plaintext file, +and the last byte tells how many. +Note that if during decryption +the last byte of the file +does not contain an integer between 0 and 7, +either the file has been corrupted +or an incorrect key has been given. +A similar mechanism is used +for the OFB and CFB modes, +except that those +simply require the length of the input +to be a multiple of the mode size, +and the final byte contains an integer +between 0 and one less than the number of bytes being used as the mode. -(This was another reason that the mode size must be a multiple of 8 for those -modes.) +(This was another reason +that the mode size must be +a multiple of 8 for those modes.) .Pp -Unlike Sun's implementation, unused bytes of that last block are not filled -with random data, but instead contain what was in those byte positions in -the preceding block. -This is quicker and more portable, and does not weaken the encryption -significantly. +Unlike Sun's implementation, +unused bytes of that last block +are not filled with random data, +but instead contain +what was in those byte positions +in the preceding block. +This is quicker and more portable, +and does not weaken the encryption significantly. .Pp If the key is entered in .Tn ASCII , -the parity bits of the key characters are set -so that each key character is of odd parity. -Unlike Sun's implementation, it is possible to enter binary or hexadecimal -keys on the command line, and if this is done, the parity bits are +the parity bits of the key characters +are set so that each key character +is of odd parity. +Unlike Sun's implementation, +it is possible to enter binary or hexadecimal +keys on the command line, +and if this is done, +the parity bits are .Em not reset. -This allows testing using arbitrary bit patterns as keys. +This allows testing +using arbitrary bit patterns as keys. .Pp -The Sun implementation always uses an initialization vector of 0 +The Sun implementation +always uses an initialization vector of 0 (that is, all zeroes). By default, .Nm -does too, but this may be changed from the command line. +does too, +but this may be changed +from the command line. .Sh SEE ALSO -.Xr crypt 3 , .Xr getpass 3 .Rs .%T "Data Encryption Standard" @@ -289,21 +351,33 @@ There is a controversy raging over whether the .Tn DES will still be secure in a few years. -The advent of special-purpose hardware could reduce the cost of any of the -methods of attack named above so that they are no longer computationally -infeasible. +The advent of special-purpose hardware +could reduce the cost of any of the +methods of attack named above +so that they are no longer +computationally infeasible. .Pp -As the key or key schedule is stored in memory, the encryption can be +As the key or key schedule +is stored in memory, +the encryption can be compromised if memory is readable. -Additionally, programs which display programs' arguments may compromise the -key and initialization vector, if they are specified on the command line. +Additionally, +programs which display programs' arguments +may compromise the key and initialization vector, +if they are specified on the command line. To avoid this .Nm -overwrites its arguments, however, the obvious race cannot currently be -avoided. +overwrites its arguments, +however, +the obvious race +cannot currently be avoided. .Pp -Certain specific keys should be avoided because they introduce potential -weaknesses; these keys, called the +Certain specific keys +should be avoided +because they introduce +potential weaknesses; +these keys, +called the .Em weak and .Em semiweak @@ -328,7 +402,8 @@ or .Pp This is inherent in the .Tn DES -algorithm; see +algorithm; +see .Rs .%A Moore .%A Simmons |