1 .\" Copyright (c) 1991, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" This code is derived from software contributed to Berkeley by
5 .\" Matt Bishop of Dartmouth College.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
10 .\" 1. Redistributions of source code must retain the above copyright
11 .\" notice, this list of conditions and the following disclaimer.
12 .\" 2. Redistributions in binary form must reproduce the above copyright
13 .\" notice, this list of conditions and the following disclaimer in the
14 .\" documentation and/or other materials provided with the distribution.
15 .\" 3. All advertising materials mentioning features or use of this software
16 .\" must display the following acknowledgement:
17 .\" This product includes software developed by the University of
18 .\" California, Berkeley and its contributors.
19 .\" 4. Neither the name of the University nor the names of its contributors
20 .\" may be used to endorse or promote products derived from this software
21 .\" without specific prior written permission.
23 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 .\" @(#)bdes.1 8.1 (Berkeley) 6/29/93
38 .Dd September 20, 2013
43 .Nd "encrypt / decrypt using the Data Encryption Standard (DES)"
55 The DES cipher should no longer be considered secure.
56 Please consider using a more modern alternative.
61 utility implements all
63 modes of operation described in
65 including alternative cipher feedback mode and both authentication
69 utility reads from the standard input
70 and writes to the standard output.
72 the input is encrypted
73 using cipher block chaining (CBC) mode.
75 for encryption and decryption
78 All modes but the electronic code book (ECB) mode
79 require an initialization vector;
81 the zero vector is used.
84 is specified on the command line,
85 the user is prompted for one (see
89 The options are as follows:
90 .Bl -tag -width indent
92 The key and initialization vector strings
95 suppressing the special interpretation given to leading
104 the key and initialization vector.
112 alternative CFB mode.
115 must be a multiple of 7
116 between 7 and 56 inclusive
117 (this does not conform to the alternative CFB mode specification).
124 must be a multiple of 8 between 8 and 64 inclusive (this does not conform
125 to the standard CFB mode specification).
129 as the cryptographic key.
131 Compute a message authentication code (MAC) of
136 must be between 1 and 64 inclusive; if
138 is not a multiple of 8,
139 enough 0 bits will be added
140 to pad the MAC length
141 to the nearest multiple of 8.
142 Only the MAC is output.
143 MACs are only available
149 output feedback (OFB) mode.
152 must be a multiple of 8 between 8 and 64 inclusive (this does not conform
153 to the OFB mode specification).
155 Disable the resetting of the parity bit.
157 the parity bit of the key
160 each character be of odd parity.
161 It is used only if the key is given in
164 Set the initialization vector to
166 the vector is interpreted in the same way as the key.
167 The vector is ignored in ECB mode.
170 The key and initialization vector
171 are taken as sequences of
173 characters which are then mapped
174 into their bit representations.
175 If either begins with
180 as a sequence of hexadecimal digits
181 indicating the bit pattern;
182 if either begins with
187 as a sequence of binary digits
188 indicating the bit pattern.
190 only the leading 64 bits
191 of the key or initialization vector
193 and if fewer than 64 bits are provided,
194 enough 0 bits are appended
195 to pad the key to 64 bits.
200 the low-order bit of each character
201 in the key string is deleted.
205 set the high-order bit to 0,
206 simply deleting the low-order bit
207 effectively reduces the size of the key space
208 from 2^56 to 2^48 keys.
210 the high-order bit must be a function
211 depending in part upon the low-order bit;
213 the high-order bit is set
214 to whatever value gives odd parity.
215 This preserves the key space size.
216 Note this resetting of the parity bit is
219 is given in binary or hex,
220 and can be disabled for
223 .Sh IMPLEMENTATION NOTES
224 For implementors wishing to write
225 software compatible with this program,
226 the following notes are provided.
227 This software is believed
228 to be compatible with the implementation
229 of the data encryption standard
230 distributed by Sun Microsystems, Inc.
232 In the ECB and CBC modes,
233 plaintext is encrypted in units of 64 bits
234 (8 bytes, also called a block).
235 To ensure that the plaintext file
236 is encrypted correctly,
238 will (internally) append from 1 to 8 bytes,
239 the last byte containing an integer
240 stating how many bytes of that final block
241 are from the plaintext file,
242 and encrypt the resulting block.
245 the last block may contain from 0 to 7 characters
246 present in the plaintext file,
247 and the last byte tells how many.
248 Note that if during decryption
249 the last byte of the file
250 does not contain an integer between 0 and 7,
251 either the file has been corrupted
252 or an incorrect key has been given.
253 A similar mechanism is used
254 for the OFB and CFB modes,
256 simply require the length of the input
257 to be a multiple of the mode size,
258 and the final byte contains an integer
259 between 0 and one less than the number
260 of bytes being used as the mode.
261 (This was another reason
262 that the mode size must be
263 a multiple of 8 for those modes.)
265 Unlike Sun's implementation,
266 unused bytes of that last block
267 are not filled with random data,
269 what was in those byte positions
270 in the preceding block.
271 This is quicker and more portable,
272 and does not weaken the encryption significantly.
274 If the key is entered in
276 the parity bits of the key characters
277 are set so that each key character
279 Unlike Sun's implementation,
280 it is possible to enter binary or hexadecimal
281 keys on the command line,
287 using arbitrary bit patterns as keys.
289 The Sun implementation
290 always uses an initialization vector of 0
291 (that is, all zeroes).
295 but this may be changed
296 from the command line.
300 .%T "Data Encryption Standard"
301 .%R "Federal Information Processing Standard #46"
302 .%Q "National Bureau of Standards, U.S. Department of Commerce, Washington DC"
306 .%T "DES Modes of Operation"
307 .%R "Federal Information Processing Standard #81"
308 .%Q "National Bureau of Standards, U.S. Department of Commerce, Washington DC"
312 .%A "Dorothy Denning"
313 .%B "Cryptography and Data Security"
314 .%Q "Addison-Wesley Publishing Co., Reading, MA"
319 .%T "Implementation Notes on bdes(1)"
320 .%R "Technical Report PCS-TR-91-158"
321 .%Q "Department of Mathematics and Computer Science, Dartmouth College, Hanover, NH 03755"
326 THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
327 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
328 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
329 ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
330 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
331 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
332 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
333 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
334 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
335 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
339 As the key or key schedule
341 the encryption can be
342 compromised if memory is readable.
344 programs which display programs' arguments
345 may compromise the key and initialization vector,
346 if they are specified on the command line.
349 overwrites its arguments,
352 cannot currently be avoided.
354 Certain specific keys
356 because they introduce
357 potential weaknesses;
363 keys, are (in hex notation, where
365 is either 0 or 1, and
371 .Bl -column "0x0p0p0p0p0p0p0p0p" -offset indent
372 .It "0x0p0p0p0p0p0p0p0p 0x0p1P0p1P0p0P0p0P"
373 .It "0x0pep0pep0pfp0pfp 0x0pfP0pfP0pfP0pfP"
374 .It "0x1P0p1P0p0P0p0P0p 0x1P1P1P1P0P0P0P0P"
375 .It "0x1Pep1Pep0Pfp0Pfp 0x1PfP1PfP0PfP0PfP"
376 .It "0xep0pep0pfp0pfp0p 0xep1Pep1pfp0Pfp0P"
377 .It "0xepepepepepepepep 0xepfPepfPfpfPfpfP"
378 .It "0xfP0pfP0pfP0pfP0p 0xfP1PfP1PfP0PfP0P"
379 .It "0xfPepfPepfPepfPep 0xfPfPfPfPfPfPfPfP"
382 This is inherent in the
389 .%T "Cycle structure of the DES with weak and semi-weak keys"
390 .%B "Advances in Cryptology \- Crypto '86 Proceedings"
391 .%Q "Springer-Verlag New York"