| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217 |
- =pod
- =head1 NAME
- des - encrypt or decrypt data using Data Encryption Standard
- =head1 SYNOPSIS
- B<des>
- (
- B<-e>
- |
- B<-E>
- ) | (
- B<-d>
- |
- B<-D>
- ) | (
- B<->[B<cC>][B<ckname>]
- ) |
- [
- B<-b3hfs>
- ] [
- B<-k>
- I<key>
- ]
- ] [
- B<-u>[I<uuname>]
- [
- I<input-file>
- [
- I<output-file>
- ] ]
- =head1 NOTE
- This page describes the B<des> stand-alone program, not the B<openssl des>
- command.
- =head1 DESCRIPTION
- B<des>
- encrypts and decrypts data using the
- Data Encryption Standard algorithm.
- One of
- B<-e>, B<-E>
- (for encrypt) or
- B<-d>, B<-D>
- (for decrypt) must be specified.
- It is also possible to use
- B<-c>
- or
- B<-C>
- in conjunction or instead of the a encrypt/decrypt option to generate
- a 16 character hexadecimal checksum, generated via the
- I<des_cbc_cksum>.
- Two standard encryption modes are supported by the
- B<des>
- program, Cipher Block Chaining (the default) and Electronic Code Book
- (specified with
- B<-b>).
- The key used for the DES
- algorithm is obtained by prompting the user unless the
- B<-k>
- I<key>
- option is given.
- If the key is an argument to the
- B<des>
- command, it is potentially visible to users executing
- ps(1)
- or a derivative. To minimise this possibility,
- B<des>
- takes care to destroy the key argument immediately upon entry.
- If your shell keeps a history file be careful to make sure it is not
- world readable.
- Since this program attempts to maintain compatibility with sunOS's
- des(1) command, there are 2 different methods used to convert the user
- supplied key to a des key.
- Whenever and one or more of
- B<-E>, B<-D>, B<-C>
- or
- B<-3>
- options are used, the key conversion procedure will not be compatible
- with the sunOS des(1) version but will use all the user supplied
- character to generate the des key.
- B<des>
- command reads from standard input unless
- I<input-file>
- is specified and writes to standard output unless
- I<output-file>
- is given.
- =head1 OPTIONS
- =over 4
- =item B<-b>
- Select ECB
- (eight bytes at a time) encryption mode.
- =item B<-3>
- Encrypt using triple encryption.
- By default triple cbc encryption is used but if the
- B<-b>
- option is used then triple ECB encryption is performed.
- If the key is less than 8 characters long, the flag has no effect.
- =item B<-e>
- Encrypt data using an 8 byte key in a manner compatible with sunOS
- des(1).
- =item B<-E>
- Encrypt data using a key of nearly unlimited length (1024 bytes).
- This will product a more secure encryption.
- =item B<-d>
- Decrypt data that was encrypted with the B<-e> option.
- =item B<-D>
- Decrypt data that was encrypted with the B<-E> option.
- =item B<-c>
- Generate a 16 character hexadecimal cbc checksum and output this to
- stderr.
- If a filename was specified after the
- B<-c>
- option, the checksum is output to that file.
- The checksum is generated using a key generated in a sunOS compatible
- manner.
- =item B<-C>
- A cbc checksum is generated in the same manner as described for the
- B<-c>
- option but the DES key is generated in the same manner as used for the
- B<-E>
- and
- B<-D>
- options
- =item B<-f>
- Does nothing - allowed for compatibility with sunOS des(1) command.
- =item B<-s>
- Does nothing - allowed for compatibility with sunOS des(1) command.
- =item B<-k> I<key>
- Use the encryption
- I<key>
- specified.
- =item B<-h>
- The
- I<key>
- is assumed to be a 16 character hexadecimal number.
- If the
- B<-3>
- option is used the key is assumed to be a 32 character hexadecimal
- number.
- =item B<-u>
- This flag is used to read and write uuencoded files. If decrypting,
- the input file is assumed to contain uuencoded, DES encrypted data.
- If encrypting, the characters following the B<-u> are used as the name of
- the uuencoded file to embed in the begin line of the uuencoded
- output. If there is no name specified after the B<-u>, the name text.des
- will be embedded in the header.
- =head1 SEE ALSO
- ps(1),
- L<des_crypt(3)|des_crypt(3)>
- =head1 BUGS
- The problem with using the
- B<-e>
- option is the short key length.
- It would be better to use a real 56-bit key rather than an
- ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII
- radically reduces the time necessary for a brute-force cryptographic attack.
- My attempt to remove this problem is to add an alternative text-key to
- DES-key function. This alternative function (accessed via
- B<-E>, B<-D>, B<-S>
- and
- B<-3>)
- uses DES to help generate the key.
- Be carefully when using the B<-u> option. Doing B<des -ud> I<filename> will
- not decrypt filename (the B<-u> option will gobble the B<-d> option).
- The VMS operating system operates in a world where files are always a
- multiple of 512 bytes. This causes problems when encrypted data is
- send from Unix to VMS since a 88 byte file will suddenly be padded
- with 424 null bytes. To get around this problem, use the B<-u> option
- to uuencode the data before it is send to the VMS system.
- =head1 AUTHOR
- Eric Young (eay@cryptsoft.com)
- =cut
|
