]>
Commit | Line | Data |
---|---|---|
7948febe RL |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
954b2747 | 5 | des_modes - the variants of DES and other crypto algorithms of OpenSSL |
7948febe RL |
6 | |
7 | =head1 DESCRIPTION | |
8 | ||
c8973693 | 9 | Several crypto algorithms for OpenSSL can be used in a number of modes. Those |
a5d9c6e4 RL |
10 | are used for using block ciphers in a way similar to stream ciphers, among |
11 | other things. | |
7948febe RL |
12 | |
13 | =head1 OVERVIEW | |
14 | ||
15 | =head2 Electronic Codebook Mode (ECB) | |
16 | ||
17 | Normally, this is found as the function I<algorithm>_ecb_encrypt(). | |
18 | ||
2f61bc2e | 19 | =over 2 |
7948febe RL |
20 | |
21 | =item * | |
22 | ||
23 | 64 bits are enciphered at a time. | |
24 | ||
25 | =item * | |
26 | ||
27 | The order of the blocks can be rearranged without detection. | |
28 | ||
29 | =item * | |
30 | ||
31 | The same plaintext block always produces the same ciphertext block | |
32 | (for the same key) making it vulnerable to a 'dictionary attack'. | |
33 | ||
34 | =item * | |
35 | ||
36 | An error will only affect one ciphertext block. | |
37 | ||
38 | =back | |
39 | ||
40 | =head2 Cipher Block Chaining Mode (CBC) | |
41 | ||
42 | Normally, this is found as the function I<algorithm>_cbc_encrypt(). | |
8ce288a8 BM |
43 | Be aware that des_cbc_encrypt() is not really DES CBC (it does |
44 | not update the IV); use des_ncbc_encrypt() instead. | |
7948febe | 45 | |
2f61bc2e | 46 | =over 2 |
7948febe RL |
47 | |
48 | =item * | |
49 | ||
50 | a multiple of 64 bits are enciphered at a time. | |
51 | ||
52 | =item * | |
53 | ||
54 | The CBC mode produces the same ciphertext whenever the same | |
55 | plaintext is encrypted using the same key and starting variable. | |
56 | ||
57 | =item * | |
58 | ||
59 | The chaining operation makes the ciphertext blocks dependent on the | |
60 | current and all preceding plaintext blocks and therefore blocks can not | |
61 | be rearranged. | |
62 | ||
63 | =item * | |
64 | ||
65 | The use of different starting variables prevents the same plaintext | |
66 | enciphering to the same ciphertext. | |
67 | ||
68 | =item * | |
69 | ||
70 | An error will affect the current and the following ciphertext blocks. | |
71 | ||
72 | =back | |
73 | ||
74 | =head2 Cipher Feedback Mode (CFB) | |
75 | ||
76 | Normally, this is found as the function I<algorithm>_cfb_encrypt(). | |
77 | ||
2f61bc2e | 78 | =over 2 |
7948febe RL |
79 | |
80 | =item * | |
81 | ||
82 | a number of bits (j) <= 64 are enciphered at a time. | |
83 | ||
84 | =item * | |
85 | ||
86 | The CFB mode produces the same ciphertext whenever the same | |
87 | plaintext is encrypted using the same key and starting variable. | |
88 | ||
89 | =item * | |
90 | ||
91 | The chaining operation makes the ciphertext variables dependent on the | |
92 | current and all preceding variables and therefore j-bit variables are | |
93 | chained together and can not be rearranged. | |
94 | ||
95 | =item * | |
96 | ||
97 | The use of different starting variables prevents the same plaintext | |
98 | enciphering to the same ciphertext. | |
99 | ||
100 | =item * | |
101 | ||
102 | The strength of the CFB mode depends on the size of k (maximal if | |
103 | j == k). In my implementation this is always the case. | |
104 | ||
105 | =item * | |
106 | ||
107 | Selection of a small value for j will require more cycles through | |
108 | the encipherment algorithm per unit of plaintext and thus cause | |
109 | greater processing overheads. | |
110 | ||
111 | =item * | |
112 | ||
113 | Only multiples of j bits can be enciphered. | |
114 | ||
115 | =item * | |
116 | ||
117 | An error will affect the current and the following ciphertext variables. | |
118 | ||
119 | =back | |
120 | ||
121 | =head2 Output Feedback Mode (OFB) | |
122 | ||
123 | Normally, this is found as the function I<algorithm>_ofb_encrypt(). | |
124 | ||
2f61bc2e | 125 | =over 2 |
7948febe RL |
126 | |
127 | =item * | |
128 | ||
129 | a number of bits (j) <= 64 are enciphered at a time. | |
130 | ||
131 | =item * | |
132 | ||
133 | The OFB mode produces the same ciphertext whenever the same | |
134 | plaintext enciphered using the same key and starting variable. More | |
135 | over, in the OFB mode the same key stream is produced when the same | |
136 | key and start variable are used. Consequently, for security reasons | |
137 | a specific start variable should be used only once for a given key. | |
138 | ||
139 | =item * | |
140 | ||
141 | The absence of chaining makes the OFB more vulnerable to specific attacks. | |
142 | ||
143 | =item * | |
144 | ||
145 | The use of different start variables values prevents the same | |
146 | plaintext enciphering to the same ciphertext, by producing different | |
147 | key streams. | |
148 | ||
149 | =item * | |
150 | ||
151 | Selection of a small value for j will require more cycles through | |
152 | the encipherment algorithm per unit of plaintext and thus cause | |
153 | greater processing overheads. | |
154 | ||
155 | =item * | |
156 | ||
157 | Only multiples of j bits can be enciphered. | |
158 | ||
159 | =item * | |
160 | ||
161 | OFB mode of operation does not extend ciphertext errors in the | |
162 | resultant plaintext output. Every bit error in the ciphertext causes | |
163 | only one bit to be in error in the deciphered plaintext. | |
164 | ||
165 | =item * | |
166 | ||
c8973693 | 167 | OFB mode is not self-synchronizing. If the two operation of |
7948febe | 168 | encipherment and decipherment get out of synchronism, the system needs |
c8973693 | 169 | to be re-initialized. |
7948febe RL |
170 | |
171 | =item * | |
172 | ||
c8973693 | 173 | Each re-initialization should use a value of the start variable |
7948febe RL |
174 | different from the start variable values used before with the same |
175 | key. The reason for this is that an identical bit stream would be | |
176 | produced each time from the same parameters. This would be | |
177 | susceptible to a 'known plaintext' attack. | |
178 | ||
179 | =back | |
180 | ||
181 | =head2 Triple ECB Mode | |
182 | ||
183 | Normally, this is found as the function I<algorithm>_ecb3_encrypt(). | |
184 | ||
2f61bc2e | 185 | =over 2 |
7948febe RL |
186 | |
187 | =item * | |
188 | ||
189 | Encrypt with key1, decrypt with key2 and encrypt with key3 again. | |
190 | ||
191 | =item * | |
192 | ||
193 | As for ECB encryption but increases the key length to 168 bits. | |
194 | There are theoretic attacks that can be used that make the effective | |
195 | key length 112 bits, but this attack also requires 2^56 blocks of | |
196 | memory, not very likely, even for the NSA. | |
197 | ||
198 | =item * | |
199 | ||
200 | If both keys are the same it is equivalent to encrypting once with | |
201 | just one key. | |
202 | ||
203 | =item * | |
204 | ||
205 | If the first and last key are the same, the key length is 112 bits. | |
2c17323e BM |
206 | There are attacks that could reduce the effective key strength |
207 | to only slightly more than 56 bits, but these require a lot of memory. | |
7948febe RL |
208 | |
209 | =item * | |
210 | ||
211 | If all 3 keys are the same, this is effectively the same as normal | |
212 | ecb mode. | |
213 | ||
214 | =back | |
215 | ||
216 | =head2 Triple CBC Mode | |
217 | ||
218 | Normally, this is found as the function I<algorithm>_ede3_cbc_encrypt(). | |
219 | ||
2f61bc2e | 220 | =over 2 |
7948febe RL |
221 | |
222 | =item * | |
223 | ||
224 | Encrypt with key1, decrypt with key2 and then encrypt with key3. | |
225 | ||
226 | =item * | |
227 | ||
228 | As for CBC encryption but increases the key length to 168 bits with | |
229 | the same restrictions as for triple ecb mode. | |
230 | ||
231 | =back | |
232 | ||
a5d9c6e4 RL |
233 | =head1 NOTES |
234 | ||
235 | This text was been written in large parts by Eric Young in his original | |
236 | documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed | |
237 | it to: | |
238 | ||
1bc74519 RS |
239 | AS 2805.5.2 |
240 | Australian Standard | |
241 | Electronic funds transfer - Requirements for interfaces, | |
242 | Part 5.2: Modes of operation for an n-bit block cipher algorithm | |
243 | Appendix A | |
a5d9c6e4 | 244 | |
7948febe RL |
245 | =head1 SEE ALSO |
246 | ||
9e183d22 | 247 | L<BF_encrypt(3)>, L<DES_crypt(3)> |
369782ac | 248 | |
e2f92610 RS |
249 | =head1 COPYRIGHT |
250 | ||
9e183d22 | 251 | Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. |
e2f92610 RS |
252 | |
253 | Licensed under the OpenSSL license (the "License"). You may not use | |
254 | this file except in compliance with the License. You can obtain a copy | |
255 | in the file LICENSE in the source distribution or at | |
256 | L<https://www.openssl.org/source/license.html>. | |
257 | ||
258 | =cut |