[thirdparty/openssl.git] / crypto / des / des.pod

=pod

=head1 NAME

des - encrypt or decrypt data using Data Encryption Standard

=head1 SYNOPSIS

B<des>
(
B<-e>
|
B<-E>
) | (
B<-d>
|
B<-D>
) | (
B<->[B<cC>][B<ckname>]
) |
[
B<-b3hfs>
] [
B<-k>
I<key>
]
] [
B<-u>[I<uuname>]
[
I<input-file>
[
I<output-file>
] ]

=head1 NOTE

This page describes the B<des> stand-alone program, not the B<openssl des>
command.

=head1 DESCRIPTION

B<des>
encrypts and decrypts data using the
Data Encryption Standard algorithm.
One of
B<-e>, B<-E>
(for encrypt) or
B<-d>, B<-D>
(for decrypt) must be specified.
It is also possible to use
B<-c>
or
B<-C>
in conjunction or instead of the a encrypt/decrypt option to generate
a 16 character hexadecimal checksum, generated via the
I<des_cbc_cksum>.

Two standard encryption modes are supported by the
B<des>
program, Cipher Block Chaining (the default) and Electronic Code Book
(specified with
B<-b>).

The key used for the DES
algorithm is obtained by prompting the user unless the
B<-k>
I<key>
option is given.
If the key is an argument to the
B<des>
command, it is potentially visible to users executing
ps(1)
or a derivative.  To minimise this possibility,
B<des>
takes care to destroy the key argument immediately upon entry.
If your shell keeps a history file be careful to make sure it is not
world readable.

Since this program attempts to maintain compatibility with sunOS's
des(1) command, there are 2 different methods used to convert the user
supplied key to a des key.
Whenever and one or more of
B<-E>, B<-D>, B<-C>
or
B<-3>
options are used, the key conversion procedure will not be compatible
with the sunOS des(1) version but will use all the user supplied
character to generate the des key.
B<des>
command reads from standard input unless
I<input-file>
is specified and writes to standard output unless
I<output-file>
is given.

=head1 OPTIONS

=over 4

=item B<-b>

Select ECB
(eight bytes at a time) encryption mode.

=item B<-3>

Encrypt using triple encryption.
By default triple cbc encryption is used but if the
B<-b>
option is used then triple ECB encryption is performed.
If the key is less than 8 characters long, the flag has no effect.

=item B<-e>

Encrypt data using an 8 byte key in a manner compatible with sunOS
des(1).

=item B<-E>

Encrypt data using a key of nearly unlimited length (1024 bytes).
This will product a more secure encryption.

=item B<-d>

Decrypt data that was encrypted with the B<-e> option.

=item B<-D>

Decrypt data that was encrypted with the B<-E> option.

=item B<-c>

Generate a 16 character hexadecimal cbc checksum and output this to
stderr.
If a filename was specified after the
B<-c>
option, the checksum is output to that file.
The checksum is generated using a key generated in a sunOS compatible
manner.

=item B<-C>

A cbc checksum is generated in the same manner as described for the
B<-c>
option but the DES key is generated in the same manner as used for the
B<-E>
and
B<-D>
options

=item B<-f>

Does nothing - allowed for compatibility with sunOS des(1) command.

=item B<-s>

Does nothing - allowed for compatibility with sunOS des(1) command.

=item B<-k> I<key>

Use the encryption 
I<key>
specified.

=item B<-h>

The
I<key>
is assumed to be a 16 character hexadecimal number.
If the
B<-3>
option is used the key is assumed to be a 32 character hexadecimal
number.

=item B<-u>

This flag is used to read and write uuencoded files.  If decrypting,
the input file is assumed to contain uuencoded, DES encrypted data.
If encrypting, the characters following the B<-u> are used as the name of
the uuencoded file to embed in the begin line of the uuencoded
output.  If there is no name specified after the B<-u>, the name text.des
will be embedded in the header.

=back

=head1 SEE ALSO

ps(1),
L<des_crypt(3)|des_crypt(3)>

=head1 BUGS

The problem with using the
B<-e>
option is the short key length.
It would be better to use a real 56-bit key rather than an
ASCII-based 56-bit pattern.  Knowing that the key was derived from ASCII
radically reduces the time necessary for a brute-force cryptographic attack.
My attempt to remove this problem is to add an alternative text-key to
DES-key function.  This alternative function (accessed via
B<-E>, B<-D>, B<-S>
and
B<-3>)
uses DES to help generate the key.

Be carefully when using the B<-u> option.  Doing B<des -ud> I<filename> will
not decrypt filename (the B<-u> option will gobble the B<-d> option).

The VMS operating system operates in a world where files are always a
multiple of 512 bytes.  This causes problems when encrypted data is
send from Unix to VMS since a 88 byte file will suddenly be padded
with 424 null bytes.  To get around this problem, use the B<-u> option
to uuencode the data before it is send to the VMS system.

=head1 AUTHOR

Eric Young (eay@cryptsoft.com)

=cut
Commit	Line	Data
50c16ed3 UM	1	=pod
	2
	3	=head1 NAME
	4
d02b48c6	5	des - encrypt or decrypt data using Data Encryption Standard
50c16ed3 UM	6
	7	=head1 SYNOPSIS
	8
	9	B<des>
d02b48c6	10	(
50c16ed3	11	B<-e>
d02b48c6	12	\|
50c16ed3	13	B<-E>
d02b48c6	14	) \| (
50c16ed3	15	B<-d>
d02b48c6	16	\|
50c16ed3	17	B<-D>
d02b48c6	18	) \| (
50c16ed3	19	B<->[B<cC>][B<ckname>]
d02b48c6 RE	20	) \|
d02b48c6 RE	21	[
50c16ed3	22	B<-b3hfs>
d02b48c6	23	] [
50c16ed3 UM	24	B<-k>
50c16ed3 UM	25	I<key>
d02b48c6 RE	26	]
d02b48c6 RE	27	] [
50c16ed3	28	B<-u>[I<uuname>]
d02b48c6	29	[
50c16ed3	30	I<input-file>
d02b48c6	31	[
50c16ed3	32	I<output-file>
d02b48c6	33	] ]
50c16ed3 UM	34
	35	=head1 NOTE
	36
	37	This page describes the B<des> stand-alone program, not the B<openssl des>
	38	command.
	39
	40	=head1 DESCRIPTION
	41
	42	B<des>
d02b48c6 RE	43	encrypts and decrypts data using the
	44	Data Encryption Standard algorithm.
	45	One of
50c16ed3	46	B<-e>, B<-E>
d02b48c6	47	(for encrypt) or
50c16ed3	48	B<-d>, B<-D>
d02b48c6 RE	49	(for decrypt) must be specified.
d02b48c6 RE	50	It is also possible to use
50c16ed3	51	B<-c>
d02b48c6	52	or
50c16ed3	53	B<-C>
d02b48c6 RE	54	in conjunction or instead of the a encrypt/decrypt option to generate
d02b48c6 RE	55	a 16 character hexadecimal checksum, generated via the
50c16ed3 UM	56	I<des_cbc_cksum>.
50c16ed3 UM	57
d02b48c6	58	Two standard encryption modes are supported by the
50c16ed3	59	B<des>
d02b48c6 RE	60	program, Cipher Block Chaining (the default) and Electronic Code Book
d02b48c6 RE	61	(specified with
50c16ed3 UM	62	B<-b>).
50c16ed3 UM	63
d02b48c6 RE	64	The key used for the DES
d02b48c6 RE	65	algorithm is obtained by prompting the user unless the
50c16ed3 UM	66	B<-k>
50c16ed3 UM	67	I<key>
d02b48c6 RE	68	option is given.
d02b48c6 RE	69	If the key is an argument to the
50c16ed3	70	B<des>
d02b48c6	71	command, it is potentially visible to users executing
50c16ed3	72	ps(1)
d02b48c6	73	or a derivative. To minimise this possibility,
50c16ed3	74	B<des>
d02b48c6 RE	75	takes care to destroy the key argument immediately upon entry.
	76	If your shell keeps a history file be careful to make sure it is not
	77	world readable.
50c16ed3 UM	78
50c16ed3 UM	79	Since this program attempts to maintain compatibility with sunOS's
d02b48c6 RE	80	des(1) command, there are 2 different methods used to convert the user
	81	supplied key to a des key.
	82	Whenever and one or more of
50c16ed3	83	B<-E>, B<-D>, B<-C>
d02b48c6	84	or
50c16ed3	85	B<-3>
d02b48c6 RE	86	options are used, the key conversion procedure will not be compatible
	87	with the sunOS des(1) version but will use all the user supplied
	88	character to generate the des key.
50c16ed3	89	B<des>
d02b48c6	90	command reads from standard input unless
50c16ed3	91	I<input-file>
d02b48c6	92	is specified and writes to standard output unless
50c16ed3	93	I<output-file>
d02b48c6	94	is given.
50c16ed3 UM	95
	96	=head1 OPTIONS
	97
	98	=over 4
	99
	100	=item B<-b>
	101
d02b48c6 RE	102	Select ECB
d02b48c6 RE	103	(eight bytes at a time) encryption mode.
50c16ed3 UM	104
	105	=item B<-3>
	106
d02b48c6 RE	107	Encrypt using triple encryption.
d02b48c6 RE	108	By default triple cbc encryption is used but if the
50c16ed3 UM	109	B<-b>
50c16ed3 UM	110	option is used then triple ECB encryption is performed.
d02b48c6	111	If the key is less than 8 characters long, the flag has no effect.
50c16ed3 UM	112
	113	=item B<-e>
	114
d02b48c6 RE	115	Encrypt data using an 8 byte key in a manner compatible with sunOS
d02b48c6 RE	116	des(1).
50c16ed3 UM	117
	118	=item B<-E>
	119
d02b48c6 RE	120	Encrypt data using a key of nearly unlimited length (1024 bytes).
d02b48c6 RE	121	This will product a more secure encryption.
50c16ed3 UM	122
	123	=item B<-d>
	124
	125	Decrypt data that was encrypted with the B<-e> option.
	126
	127	=item B<-D>
	128
	129	Decrypt data that was encrypted with the B<-E> option.
	130
	131	=item B<-c>
	132
d02b48c6 RE	133	Generate a 16 character hexadecimal cbc checksum and output this to
	134	stderr.
	135	If a filename was specified after the
50c16ed3	136	B<-c>
d02b48c6 RE	137	option, the checksum is output to that file.
	138	The checksum is generated using a key generated in a sunOS compatible
	139	manner.
50c16ed3 UM	140
	141	=item B<-C>
	142
d02b48c6	143	A cbc checksum is generated in the same manner as described for the
50c16ed3	144	B<-c>
d02b48c6	145	option but the DES key is generated in the same manner as used for the
50c16ed3	146	B<-E>
d02b48c6	147	and
50c16ed3	148	B<-D>
d02b48c6	149	options
50c16ed3 UM	150
	151	=item B<-f>
	152
d02b48c6	153	Does nothing - allowed for compatibility with sunOS des(1) command.
50c16ed3 UM	154
	155	=item B<-s>
	156
d02b48c6	157	Does nothing - allowed for compatibility with sunOS des(1) command.
50c16ed3 UM	158
	159	=item B<-k> I<key>
	160
d02b48c6	161	Use the encryption
50c16ed3	162	I<key>
d02b48c6	163	specified.
50c16ed3 UM	164
	165	=item B<-h>
	166
d02b48c6	167	The
50c16ed3	168	I<key>
d02b48c6 RE	169	is assumed to be a 16 character hexadecimal number.
d02b48c6 RE	170	If the
50c16ed3	171	B<-3>
d02b48c6 RE	172	option is used the key is assumed to be a 32 character hexadecimal
d02b48c6 RE	173	number.
50c16ed3 UM	174
	175	=item B<-u>
	176
d02b48c6 RE	177	This flag is used to read and write uuencoded files. If decrypting,
d02b48c6 RE	178	the input file is assumed to contain uuencoded, DES encrypted data.
50c16ed3	179	If encrypting, the characters following the B<-u> are used as the name of
d02b48c6	180	the uuencoded file to embed in the begin line of the uuencoded
50c16ed3	181	output. If there is no name specified after the B<-u>, the name text.des
d02b48c6	182	will be embedded in the header.
50c16ed3	183
ed77017b LR	184	=back
ed77017b LR	185
50c16ed3 UM	186	=head1 SEE ALSO
	187
	188	ps(1),
	189	L<des_crypt(3)\|des_crypt(3)>
	190
	191	=head1 BUGS
	192
d02b48c6	193	The problem with using the
50c16ed3	194	B<-e>
d02b48c6 RE	195	option is the short key length.
	196	It would be better to use a real 56-bit key rather than an
	197	ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII
	198	radically reduces the time necessary for a brute-force cryptographic attack.
	199	My attempt to remove this problem is to add an alternative text-key to
	200	DES-key function. This alternative function (accessed via
50c16ed3	201	B<-E>, B<-D>, B<-S>
d02b48c6	202	and
50c16ed3	203	B<-3>)
d02b48c6	204	uses DES to help generate the key.
50c16ed3 UM	205
	206	Be carefully when using the B<-u> option. Doing B<des -ud> I<filename> will
	207	not decrypt filename (the B<-u> option will gobble the B<-d> option).
	208
d02b48c6 RE	209	The VMS operating system operates in a world where files are always a
d02b48c6 RE	210	multiple of 512 bytes. This causes problems when encrypted data is
50c16ed3 UM	211	send from Unix to VMS since a 88 byte file will suddenly be padded
50c16ed3 UM	212	with 424 null bytes. To get around this problem, use the B<-u> option
d02b48c6	213	to uuencode the data before it is send to the VMS system.
50c16ed3 UM	214
	215	=head1 AUTHOR
	216
d02b48c6	217	Eric Young (eay@cryptsoft.com)
50c16ed3 UM	218
50c16ed3 UM	219	=cut