]>
Commit | Line | Data |
---|---|---|
50c16ed3 UM |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
d02b48c6 | 5 | des - encrypt or decrypt data using Data Encryption Standard |
50c16ed3 UM |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
9 | B<des> | |
d02b48c6 | 10 | ( |
50c16ed3 | 11 | B<-e> |
d02b48c6 | 12 | | |
50c16ed3 | 13 | B<-E> |
d02b48c6 | 14 | ) | ( |
50c16ed3 | 15 | B<-d> |
d02b48c6 | 16 | | |
50c16ed3 | 17 | B<-D> |
d02b48c6 | 18 | ) | ( |
50c16ed3 | 19 | B<->[B<cC>][B<ckname>] |
d02b48c6 RE |
20 | ) | |
21 | [ | |
50c16ed3 | 22 | B<-b3hfs> |
d02b48c6 | 23 | ] [ |
50c16ed3 UM |
24 | B<-k> |
25 | I<key> | |
d02b48c6 RE |
26 | ] |
27 | ] [ | |
50c16ed3 | 28 | B<-u>[I<uuname>] |
d02b48c6 | 29 | [ |
50c16ed3 | 30 | I<input-file> |
d02b48c6 | 31 | [ |
50c16ed3 | 32 | I<output-file> |
d02b48c6 | 33 | ] ] |
50c16ed3 UM |
34 | |
35 | =head1 NOTE | |
36 | ||
37 | This page describes the B<des> stand-alone program, not the B<openssl des> | |
38 | command. | |
39 | ||
40 | =head1 DESCRIPTION | |
41 | ||
42 | B<des> | |
d02b48c6 RE |
43 | encrypts and decrypts data using the |
44 | Data Encryption Standard algorithm. | |
45 | One of | |
50c16ed3 | 46 | B<-e>, B<-E> |
d02b48c6 | 47 | (for encrypt) or |
50c16ed3 | 48 | B<-d>, B<-D> |
d02b48c6 RE |
49 | (for decrypt) must be specified. |
50 | It is also possible to use | |
50c16ed3 | 51 | B<-c> |
d02b48c6 | 52 | or |
50c16ed3 | 53 | B<-C> |
d02b48c6 RE |
54 | in conjunction or instead of the a encrypt/decrypt option to generate |
55 | a 16 character hexadecimal checksum, generated via the | |
50c16ed3 UM |
56 | I<des_cbc_cksum>. |
57 | ||
d02b48c6 | 58 | Two standard encryption modes are supported by the |
50c16ed3 | 59 | B<des> |
d02b48c6 RE |
60 | program, Cipher Block Chaining (the default) and Electronic Code Book |
61 | (specified with | |
50c16ed3 UM |
62 | B<-b>). |
63 | ||
d02b48c6 RE |
64 | The key used for the DES |
65 | algorithm is obtained by prompting the user unless the | |
50c16ed3 UM |
66 | B<-k> |
67 | I<key> | |
d02b48c6 RE |
68 | option is given. |
69 | If the key is an argument to the | |
50c16ed3 | 70 | B<des> |
d02b48c6 | 71 | command, it is potentially visible to users executing |
50c16ed3 | 72 | ps(1) |
d02b48c6 | 73 | or a derivative. To minimise this possibility, |
50c16ed3 | 74 | B<des> |
d02b48c6 RE |
75 | takes care to destroy the key argument immediately upon entry. |
76 | If your shell keeps a history file be careful to make sure it is not | |
77 | world readable. | |
50c16ed3 UM |
78 | |
79 | Since this program attempts to maintain compatibility with sunOS's | |
d02b48c6 RE |
80 | des(1) command, there are 2 different methods used to convert the user |
81 | supplied key to a des key. | |
82 | Whenever and one or more of | |
50c16ed3 | 83 | B<-E>, B<-D>, B<-C> |
d02b48c6 | 84 | or |
50c16ed3 | 85 | B<-3> |
d02b48c6 RE |
86 | options are used, the key conversion procedure will not be compatible |
87 | with the sunOS des(1) version but will use all the user supplied | |
88 | character to generate the des key. | |
50c16ed3 | 89 | B<des> |
d02b48c6 | 90 | command reads from standard input unless |
50c16ed3 | 91 | I<input-file> |
d02b48c6 | 92 | is specified and writes to standard output unless |
50c16ed3 | 93 | I<output-file> |
d02b48c6 | 94 | is given. |
50c16ed3 UM |
95 | |
96 | =head1 OPTIONS | |
97 | ||
98 | =over 4 | |
99 | ||
100 | =item B<-b> | |
101 | ||
d02b48c6 RE |
102 | Select ECB |
103 | (eight bytes at a time) encryption mode. | |
50c16ed3 UM |
104 | |
105 | =item B<-3> | |
106 | ||
d02b48c6 RE |
107 | Encrypt using triple encryption. |
108 | By default triple cbc encryption is used but if the | |
50c16ed3 UM |
109 | B<-b> |
110 | option is used then triple ECB encryption is performed. | |
d02b48c6 | 111 | If the key is less than 8 characters long, the flag has no effect. |
50c16ed3 UM |
112 | |
113 | =item B<-e> | |
114 | ||
d02b48c6 RE |
115 | Encrypt data using an 8 byte key in a manner compatible with sunOS |
116 | des(1). | |
50c16ed3 UM |
117 | |
118 | =item B<-E> | |
119 | ||
d02b48c6 RE |
120 | Encrypt data using a key of nearly unlimited length (1024 bytes). |
121 | This will product a more secure encryption. | |
50c16ed3 UM |
122 | |
123 | =item B<-d> | |
124 | ||
125 | Decrypt data that was encrypted with the B<-e> option. | |
126 | ||
127 | =item B<-D> | |
128 | ||
129 | Decrypt data that was encrypted with the B<-E> option. | |
130 | ||
131 | =item B<-c> | |
132 | ||
d02b48c6 RE |
133 | Generate a 16 character hexadecimal cbc checksum and output this to |
134 | stderr. | |
135 | If a filename was specified after the | |
50c16ed3 | 136 | B<-c> |
d02b48c6 RE |
137 | option, the checksum is output to that file. |
138 | The checksum is generated using a key generated in a sunOS compatible | |
139 | manner. | |
50c16ed3 UM |
140 | |
141 | =item B<-C> | |
142 | ||
d02b48c6 | 143 | A cbc checksum is generated in the same manner as described for the |
50c16ed3 | 144 | B<-c> |
d02b48c6 | 145 | option but the DES key is generated in the same manner as used for the |
50c16ed3 | 146 | B<-E> |
d02b48c6 | 147 | and |
50c16ed3 | 148 | B<-D> |
d02b48c6 | 149 | options |
50c16ed3 UM |
150 | |
151 | =item B<-f> | |
152 | ||
d02b48c6 | 153 | Does nothing - allowed for compatibility with sunOS des(1) command. |
50c16ed3 UM |
154 | |
155 | =item B<-s> | |
156 | ||
d02b48c6 | 157 | Does nothing - allowed for compatibility with sunOS des(1) command. |
50c16ed3 UM |
158 | |
159 | =item B<-k> I<key> | |
160 | ||
d02b48c6 | 161 | Use the encryption |
50c16ed3 | 162 | I<key> |
d02b48c6 | 163 | specified. |
50c16ed3 UM |
164 | |
165 | =item B<-h> | |
166 | ||
d02b48c6 | 167 | The |
50c16ed3 | 168 | I<key> |
d02b48c6 RE |
169 | is assumed to be a 16 character hexadecimal number. |
170 | If the | |
50c16ed3 | 171 | B<-3> |
d02b48c6 RE |
172 | option is used the key is assumed to be a 32 character hexadecimal |
173 | number. | |
50c16ed3 UM |
174 | |
175 | =item B<-u> | |
176 | ||
d02b48c6 RE |
177 | This flag is used to read and write uuencoded files. If decrypting, |
178 | the input file is assumed to contain uuencoded, DES encrypted data. | |
50c16ed3 | 179 | If encrypting, the characters following the B<-u> are used as the name of |
d02b48c6 | 180 | the uuencoded file to embed in the begin line of the uuencoded |
50c16ed3 | 181 | output. If there is no name specified after the B<-u>, the name text.des |
d02b48c6 | 182 | will be embedded in the header. |
50c16ed3 UM |
183 | |
184 | =head1 SEE ALSO | |
185 | ||
186 | ps(1), | |
187 | L<des_crypt(3)|des_crypt(3)> | |
188 | ||
189 | =head1 BUGS | |
190 | ||
d02b48c6 | 191 | The problem with using the |
50c16ed3 | 192 | B<-e> |
d02b48c6 RE |
193 | option is the short key length. |
194 | It would be better to use a real 56-bit key rather than an | |
195 | ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII | |
196 | radically reduces the time necessary for a brute-force cryptographic attack. | |
197 | My attempt to remove this problem is to add an alternative text-key to | |
198 | DES-key function. This alternative function (accessed via | |
50c16ed3 | 199 | B<-E>, B<-D>, B<-S> |
d02b48c6 | 200 | and |
50c16ed3 | 201 | B<-3>) |
d02b48c6 | 202 | uses DES to help generate the key. |
50c16ed3 UM |
203 | |
204 | Be carefully when using the B<-u> option. Doing B<des -ud> I<filename> will | |
205 | not decrypt filename (the B<-u> option will gobble the B<-d> option). | |
206 | ||
d02b48c6 RE |
207 | The VMS operating system operates in a world where files are always a |
208 | multiple of 512 bytes. This causes problems when encrypted data is | |
50c16ed3 UM |
209 | send from Unix to VMS since a 88 byte file will suddenly be padded |
210 | with 424 null bytes. To get around this problem, use the B<-u> option | |
d02b48c6 | 211 | to uuencode the data before it is send to the VMS system. |
50c16ed3 UM |
212 | |
213 | =head1 AUTHOR | |
214 | ||
d02b48c6 | 215 | Eric Young (eay@cryptsoft.com) |
50c16ed3 UM |
216 | |
217 | =cut |