summaryrefslogtreecommitdiff
path: root/openssl/crypto/des/des.pod
blob: bf479e83d26b7d98d7a3fabf93efb5313a8d4374 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
=pod

=head1 NAME

des - encrypt or decrypt data using Data Encryption Standard

=head1 SYNOPSIS

B<des>
(
B<-e>
|
B<-E>
) | (
B<-d>
|
B<-D>
) | (
B<->[B<cC>][B<ckname>]
) |
[
B<-b3hfs>
] [
B<-k>
I<key>
]
] [
B<-u>[I<uuname>]
[
I<input-file>
[
I<output-file>
] ]

=head1 NOTE

This page describes the B<des> stand-alone program, not the B<openssl des>
command.

=head1 DESCRIPTION

B<des>
encrypts and decrypts data using the
Data Encryption Standard algorithm.
One of
B<-e>, B<-E>
(for encrypt) or
B<-d>, B<-D>
(for decrypt) must be specified.
It is also possible to use
B<-c>
or
B<-C>
in conjunction or instead of the a encrypt/decrypt option to generate
a 16 character hexadecimal checksum, generated via the
I<des_cbc_cksum>.

Two standard encryption modes are supported by the
B<des>
program, Cipher Block Chaining (the default) and Electronic Code Book
(specified with
B<-b>).

The key used for the DES
algorithm is obtained by prompting the user unless the
B<-k>
I<key>
option is given.
If the key is an argument to the
B<des>
command, it is potentially visible to users executing
ps(1)
or a derivative.  To minimise this possibility,
B<des>
takes care to destroy the key argument immediately upon entry.
If your shell keeps a history file be careful to make sure it is not
world readable.

Since this program attempts to maintain compatibility with sunOS's
des(1) command, there are 2 different methods used to convert the user
supplied key to a des key.
Whenever and one or more of
B<-E>, B<-D>, B<-C>
or
B<-3>
options are used, the key conversion procedure will not be compatible
with the sunOS des(1) version but will use all the user supplied
character to generate the des key.
B<des>
command reads from standard input unless
I<input-file>
is specified and writes to standard output unless
I<output-file>
is given.

=head1 OPTIONS

=over 4

=item B<-b>

Select ECB
(eight bytes at a time) encryption mode.

=item B<-3>

Encrypt using triple encryption.
By default triple cbc encryption is used but if the
B<-b>
option is used then triple ECB encryption is performed.
If the key is less than 8 characters long, the flag has no effect.

=item B<-e>

Encrypt data using an 8 byte key in a manner compatible with sunOS
des(1).

=item B<-E>

Encrypt data using a key of nearly unlimited length (1024 bytes).
This will product a more secure encryption.

=item B<-d>

Decrypt data that was encrypted with the B<-e> option.

=item B<-D>

Decrypt data that was encrypted with the B<-E> option.

=item B<-c>

Generate a 16 character hexadecimal cbc checksum and output this to
stderr.
If a filename was specified after the
B<-c>
option, the checksum is output to that file.
The checksum is generated using a key generated in a sunOS compatible
manner.

=item B<-C>

A cbc checksum is generated in the same manner as described for the
B<-c>
option but the DES key is generated in the same manner as used for the
B<-E>
and
B<-D>
options

=item B<-f>

Does nothing - allowed for compatibility with sunOS des(1) command.

=item B<-s>

Does nothing - allowed for compatibility with sunOS des(1) command.

=item B<-k> I<key>

Use the encryption 
I<key>
specified.

=item B<-h>

The
I<key>
is assumed to be a 16 character hexadecimal number.
If the
B<-3>
option is used the key is assumed to be a 32 character hexadecimal
number.

=item B<-u>

This flag is used to read and write uuencoded files.  If decrypting,
the input file is assumed to contain uuencoded, DES encrypted data.
If encrypting, the characters following the B<-u> are used as the name of
the uuencoded file to embed in the begin line of the uuencoded
output.  If there is no name specified after the B<-u>, the name text.des
will be embedded in the header.

=head1 SEE ALSO

ps(1),
L<des_crypt(3)|des_crypt(3)>

=head1 BUGS

The problem with using the
B<-e>
option is the short key length.
It would be better to use a real 56-bit key rather than an
ASCII-based 56-bit pattern.  Knowing that the key was derived from ASCII
radically reduces the time necessary for a brute-force cryptographic attack.
My attempt to remove this problem is to add an alternative text-key to
DES-key function.  This alternative function (accessed via
B<-E>, B<-D>, B<-S>
and
B<-3>)
uses DES to help generate the key.

Be carefully when using the B<-u> option.  Doing B<des -ud> I<filename> will
not decrypt filename (the B<-u> option will gobble the B<-d> option).

The VMS operating system operates in a world where files are always a
multiple of 512 bytes.  This causes problems when encrypted data is
send from Unix to VMS since a 88 byte file will suddenly be padded
with 424 null bytes.  To get around this problem, use the B<-u> option
to uuencode the data before it is send to the VMS system.

=head1 AUTHOR

Eric Young (eay@cryptsoft.com)

=cut