unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-4.1.3)
Page:
Section:
Apropos / Subsearch:
optional field

DES(1)                      General Commands Manual                     DES(1)



NAME
       des - encrypt or decrypt data using Data Encryption Standard

SYNOPSIS
       des -e | -d [ -bfs ] [ -k key ] [ input-file [ output-file ] ]

DESCRIPTION
       des  encrypts  and decrypts data using the NBS Data Encryption Standard
       algorithm.  One of -e (for encrypt) or -d (for decrypt) must be  speci-
       fied.

       The  des  command  is  provided to promote secure exchange of data in a
       standard fashion.

       Two standard encryption modes are supported by the des program,  Cipher
       Block  Chaining  (CBC  -- the default) and Electronic Code Book (ECB --
       specified with -b).  CBC mode treats  an  entire  file  as  a  unit  of
       encryption,  that  is,  if  insertions  or  deletions  are  made to the
       encrypted file then decryption will not succeed.  CBC mode also ensures
       that  regularities  in  clear data do not appear in the encrypted data.
       ECB mode treats each 8 bytes as units of encryptions, so  if  parts  of
       the  encrypted  file  are  modified  then  other  parts  may  still  be
       decrypted.  Identical values of clear text encrypt to identical  values
       of cipher text.

       The  key  used  for the DES algorithm is obtained by prompting the user
       unless the `-k key' option is given.  If the key is an argument to  the
       des  command,  it  is potentially visible to users executing ps(1) or a
       derivative.  To minimize this possibility, des takes  care  to  destroy
       the key argument immediately upon entry.

       The  des command attempts to use DES hardware for its job, but will use
       a software implementation of the  DES  algorithm  if  the  hardware  is
       unavailable.   Normally,  a warning message is printed if the DES hard-
       ware is unavailable since the software is only about  1/50th  as  fast.
       However, the -f option will suppress the warning.  The -s option may be
       used to force use of software instead of hardware DES.

       The des command reads from standard input unless input-file  is  speci-
       fied and writes to standard output unless output-file is given.

       The  following sections give information required to implement compati-
       ble facilities in other environments.

       Since the CBC and ECB modes of DES require  units  of  8  bytes  to  be
       encrypted,  files  being encrypted by the des command have 1 to 8 bytes
       appended to them to cause them to be a multiple of 8 bytes.   The  last
       byte,  when  decrypted, gives the number of bytes (0 to 7) which are to
       be saved of the last 8 bytes.  The other bytes of those appended to the
       input  are randomized before encryption.  If, when decrypting, the last
       byte is not in the range of 0 to 7 then either the encrypted  file  has
       been  corrupted  or an incorrect key was provided for decryption and an
       error message is printed.

       The DES algorithm requires an 8 byte  key  whose  low  order  bits  are
       assumed  to  be odd-parity bits.  The ASCII key supplied by the user is
       zero padded to 8 bytes and the high order bits are set to be odd-parity
       bits.  The DES algorithm then ignores the low bit of each ASCII charac-
       ter, but that bit's information has been preserved in the high bit  due
       to the parity.

       The CBC mode of operation always uses an initial value of all zeros for
       the initialization vector, so the first 8 bytes of a file are encrypted
       the same whether in CBC or ECB mode.

OPTIONS
       -b     Select ECB (eight bytes at a time) encryption mode.

       -d     Decrypt data.

       -e     Encrypt data.

       -f     Suppress warning message when software implementation is used.

       -s     Select software implementation for the encryption algorithm.

       -k key Use the encryption key specified.

FILES
       /dev/des?

SEE ALSO
       ps(1)

BUGS
       It  would be better to use a real 56-bit key rather than an ASCII-based
       56-bit pattern.  Knowing that the key was derived from ASCII  radically
       reduces the time necessary for a brute-force cryptographic attack.

RESTRICTIONS
       Software  encryption  is  disabled  for programs shipped outside of the
       U.S.  The program will still be able to encrypt files if one can obtain
       an encryption chip, legally or otherwise.



                               9 September 1987                         DES(1)