| =pod |
| |
| =head1 NAME |
| |
| des - encrypt or decrypt data using Data Encryption Standard |
| |
| =head1 SYNOPSIS |
| |
| B<des> |
| ( |
| B<-e> |
| | |
| B<-E> |
| ) | ( |
| B<-d> |
| | |
| B<-D> |
| ) | ( |
| B<->[B<cC>][B<ckname>] |
| ) | |
| [ |
| B<-b3hfs> |
| ] [ |
| B<-k> |
| I<key> |
| ] |
| ] [ |
| B<-u>[I<uuname>] |
| [ |
| I<input-file> |
| [ |
| I<output-file> |
| ] ] |
| |
| =head1 NOTE |
| |
| This page describes the B<des> stand-alone program, not the B<openssl des> |
| command. |
| |
| =head1 DESCRIPTION |
| |
| B<des> |
| encrypts and decrypts data using the |
| Data Encryption Standard algorithm. |
| One of |
| B<-e>, B<-E> |
| (for encrypt) or |
| B<-d>, B<-D> |
| (for decrypt) must be specified. |
| It is also possible to use |
| B<-c> |
| or |
| B<-C> |
| in conjunction or instead of the a encrypt/decrypt option to generate |
| a 16 character hexadecimal checksum, generated via the |
| I<des_cbc_cksum>. |
| |
| Two standard encryption modes are supported by the |
| B<des> |
| program, Cipher Block Chaining (the default) and Electronic Code Book |
| (specified with |
| B<-b>). |
| |
| The key used for the DES |
| algorithm is obtained by prompting the user unless the |
| B<-k> |
| I<key> |
| option is given. |
| If the key is an argument to the |
| B<des> |
| command, it is potentially visible to users executing |
| ps(1) |
| or a derivative. To minimise this possibility, |
| B<des> |
| takes care to destroy the key argument immediately upon entry. |
| If your shell keeps a history file be careful to make sure it is not |
| world readable. |
| |
| Since this program attempts to maintain compatibility with sunOS's |
| des(1) command, there are 2 different methods used to convert the user |
| supplied key to a des key. |
| Whenever and one or more of |
| B<-E>, B<-D>, B<-C> |
| or |
| B<-3> |
| options are used, the key conversion procedure will not be compatible |
| with the sunOS des(1) version but will use all the user supplied |
| character to generate the des key. |
| B<des> |
| command reads from standard input unless |
| I<input-file> |
| is specified and writes to standard output unless |
| I<output-file> |
| is given. |
| |
| =head1 OPTIONS |
| |
| =over 4 |
| |
| =item B<-b> |
| |
| Select ECB |
| (eight bytes at a time) encryption mode. |
| |
| =item B<-3> |
| |
| Encrypt using triple encryption. |
| By default triple cbc encryption is used but if the |
| B<-b> |
| option is used then triple ECB encryption is performed. |
| If the key is less than 8 characters long, the flag has no effect. |
| |
| =item B<-e> |
| |
| Encrypt data using an 8 byte key in a manner compatible with sunOS |
| des(1). |
| |
| =item B<-E> |
| |
| Encrypt data using a key of nearly unlimited length (1024 bytes). |
| This will product a more secure encryption. |
| |
| =item B<-d> |
| |
| Decrypt data that was encrypted with the B<-e> option. |
| |
| =item B<-D> |
| |
| Decrypt data that was encrypted with the B<-E> option. |
| |
| =item B<-c> |
| |
| Generate a 16 character hexadecimal cbc checksum and output this to |
| stderr. |
| If a filename was specified after the |
| B<-c> |
| option, the checksum is output to that file. |
| The checksum is generated using a key generated in a sunOS compatible |
| manner. |
| |
| =item B<-C> |
| |
| A cbc checksum is generated in the same manner as described for the |
| B<-c> |
| option but the DES key is generated in the same manner as used for the |
| B<-E> |
| and |
| B<-D> |
| options |
| |
| =item B<-f> |
| |
| Does nothing - allowed for compatibility with sunOS des(1) command. |
| |
| =item B<-s> |
| |
| Does nothing - allowed for compatibility with sunOS des(1) command. |
| |
| =item B<-k> I<key> |
| |
| Use the encryption |
| I<key> |
| specified. |
| |
| =item B<-h> |
| |
| The |
| I<key> |
| is assumed to be a 16 character hexadecimal number. |
| If the |
| B<-3> |
| option is used the key is assumed to be a 32 character hexadecimal |
| number. |
| |
| =item B<-u> |
| |
| This flag is used to read and write uuencoded files. If decrypting, |
| the input file is assumed to contain uuencoded, DES encrypted data. |
| If encrypting, the characters following the B<-u> are used as the name of |
| the uuencoded file to embed in the begin line of the uuencoded |
| output. If there is no name specified after the B<-u>, the name text.des |
| will be embedded in the header. |
| |
| =head1 SEE ALSO |
| |
| ps(1), |
| L<des_crypt(3)|des_crypt(3)> |
| |
| =head1 BUGS |
| |
| The problem with using the |
| B<-e> |
| option is the short key length. |
| It would be better to use a real 56-bit key rather than an |
| ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII |
| radically reduces the time necessary for a brute-force cryptographic attack. |
| My attempt to remove this problem is to add an alternative text-key to |
| DES-key function. This alternative function (accessed via |
| B<-E>, B<-D>, B<-S> |
| and |
| B<-3>) |
| uses DES to help generate the key. |
| |
| Be carefully when using the B<-u> option. Doing B<des -ud> I<filename> will |
| not decrypt filename (the B<-u> option will gobble the B<-d> option). |
| |
| The VMS operating system operates in a world where files are always a |
| multiple of 512 bytes. This causes problems when encrypted data is |
| send from Unix to VMS since a 88 byte file will suddenly be padded |
| with 424 null bytes. To get around this problem, use the B<-u> option |
| to uuencode the data before it is send to the VMS system. |
| |
| =head1 AUTHOR |
| |
| Eric Young (eay@cryptsoft.com) |
| |
| =cut |