User Commands des(1)
NAME
des - encrypt or decrypt data using Data Encryption Standard
SYNOPSIS
des -e -d [-bfs] [-k key] [input-file [output-file]
DESCRIPTION
des encrypts and decrypts data using the NBS Data Encryption
Standard algorithm. One of -e (for encrypt) or -d (for
decrypt) must be specified.
The des command is provided to promote secure exchange of
data in a standard fashion.
Two standard encryption modes are supported by the des pro-
gram, Cipher Block Chaining (CBC - the default) and Elec-
tronic Code Book (ECB - specified with -b). CBC mode treats
an entire file as a unit of encryption, that is, if inser-
tions or deletions are made to the encrypted file then
decryption will not succeed. CBC mode also ensures that
regularities in clear data do not appear in the encrypted
data. ECB mode treats each 8 bytes as units of encryptions,
so if parts of the encrypted file are modified then other
parts may still be decrypted. Identical values of clear text
encrypt to identical values of cipher text.
The key used for the DES algorithm is obtained by prompting
the user unless the `-k key' option is given. If the key is
an argument to the des command, it is potentially visible to
users executing ps(1) or a derivative. To minimize this
possibility, des takes care to destroy the key argument
immediately upon entry.
The des command attempts to use DES hardware for its job,
but will use a software implementation of the DES algorithm
if the hardware is unavailable. Normally, a warning message
is printed if the DES hardware is unavailable since the
software is only about 1/50th as fast. However, the -f
option will suppress the warning. The -s option may be used
to force use of software instead of hardware DES.
The des command reads from standard input unless input-file
is specified and writes to standard output unless output-
file is given.
SunOS 5.11 Last change: 3 Mar 2008 1
User Commands des(1)
The following sections give information required to imple-
ment compatible facilities in other environments.
Since the CBC and ECB modes of DES require units of 8 bytes
to be encrypted, files being encrypted by the des command
have 1 to 8 bytes appended to them to cause them to be a
multiple of 8 bytes. The last byte, when decrypted, gives
the number of bytes (0 to 7) which are to be saved of the
last 8 bytes. The other bytes of those appended to the input
are randomized before encryption. If, when decrypting, the
last byte is not in the range of 0 to 7 then either the
encrypted file has been corrupted or an incorrect key was
provided for decryption and an error message is printed.
The DES algorithm requires an 8 byte key whose low order
bits are assumed to be odd-parity bits. The ASCI key sup-
plied by the user is zero padded to 8 bytes and the high
order bits are set to be odd-parity bits. The DES algorithm
then ignores the low bit of each ASCI character, but that
bit's information has been preserved in the high bit due to
the parity.
The CBC mode of operation always uses an initial value of
all zeros for the initialization vector, so the first 8
bytes of a file are encrypted the same whether in CBC or ECB
mode.
OPTIONS
-b Select ECB (eight bytes at a time) encryption mode.
-d Decrypt data.
-e Encrypt data.
-f Suppress warning message when software implementa-
tion is used.
-s Select software implementation for the encryption
algorithm.
-kkey Use the encryption key specified.
SunOS 5.11 Last change: 3 Mar 2008 2
User Commands des(1)
FILES
/dev/des?
SEE ALSO
ps(1)
BUGS
It would be better to use a real 56-bit key rather than an
ASCI-based 56-bit pattern. Knowing that the key was
derived from ASCI radically reduces the time necessary for
a brute-force cryptographic attack.
SunOS 5.11 Last change: 3 Mar 2008 3
|
