xref: /netbsd-src/crypto/external/bsd/openssl.old/lib/libdes/des_modes.pod (revision c9496f6b604074a9451a67df576a5b423068e71e)
1*c9496f6bSchristos=pod
2*c9496f6bSchristos
3*c9496f6bSchristos=head1 NAME
4*c9496f6bSchristos
5*c9496f6bSchristosModes of DES - the variants of DES and other crypto algorithms of OpenSSL
6*c9496f6bSchristos
7*c9496f6bSchristos=head1 DESCRIPTION
8*c9496f6bSchristos
9*c9496f6bSchristosSeveral crypto algorithms for OpenSSL can be used in a number of modes.  Those
10*c9496f6bSchristosare used for using block ciphers in a way similar to stream ciphers, among
11*c9496f6bSchristosother things.
12*c9496f6bSchristos
13*c9496f6bSchristos=head1 OVERVIEW
14*c9496f6bSchristos
15*c9496f6bSchristos=head2 Electronic Codebook Mode (ECB)
16*c9496f6bSchristos
17*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ecb_encrypt().
18*c9496f6bSchristos
19*c9496f6bSchristos=over 2
20*c9496f6bSchristos
21*c9496f6bSchristos=item *
22*c9496f6bSchristos
23*c9496f6bSchristos64 bits are enciphered at a time.
24*c9496f6bSchristos
25*c9496f6bSchristos=item *
26*c9496f6bSchristos
27*c9496f6bSchristosThe order of the blocks can be rearranged without detection.
28*c9496f6bSchristos
29*c9496f6bSchristos=item *
30*c9496f6bSchristos
31*c9496f6bSchristosThe same plaintext block always produces the same ciphertext block
32*c9496f6bSchristos(for the same key) making it vulnerable to a 'dictionary attack'.
33*c9496f6bSchristos
34*c9496f6bSchristos=item *
35*c9496f6bSchristos
36*c9496f6bSchristosAn error will only affect one ciphertext block.
37*c9496f6bSchristos
38*c9496f6bSchristos=back
39*c9496f6bSchristos
40*c9496f6bSchristos=head2 Cipher Block Chaining Mode (CBC)
41*c9496f6bSchristos
42*c9496f6bSchristosNormally, this is found as the function I<algorithm>_cbc_encrypt().
43*c9496f6bSchristosBe aware that des_cbc_encrypt() is not really DES CBC (it does
44*c9496f6bSchristosnot update the IV); use des_ncbc_encrypt() instead.
45*c9496f6bSchristos
46*c9496f6bSchristos=over 2
47*c9496f6bSchristos
48*c9496f6bSchristos=item *
49*c9496f6bSchristos
50*c9496f6bSchristosa multiple of 64 bits are enciphered at a time.
51*c9496f6bSchristos
52*c9496f6bSchristos=item *
53*c9496f6bSchristos
54*c9496f6bSchristosThe CBC mode produces the same ciphertext whenever the same
55*c9496f6bSchristosplaintext is encrypted using the same key and starting variable.
56*c9496f6bSchristos
57*c9496f6bSchristos=item *
58*c9496f6bSchristos
59*c9496f6bSchristosThe chaining operation makes the ciphertext blocks dependent on the
60*c9496f6bSchristoscurrent and all preceding plaintext blocks and therefore blocks can not
61*c9496f6bSchristosbe rearranged.
62*c9496f6bSchristos
63*c9496f6bSchristos=item *
64*c9496f6bSchristos
65*c9496f6bSchristosThe use of different starting variables prevents the same plaintext
66*c9496f6bSchristosenciphering to the same ciphertext.
67*c9496f6bSchristos
68*c9496f6bSchristos=item *
69*c9496f6bSchristos
70*c9496f6bSchristosAn error will affect the current and the following ciphertext blocks.
71*c9496f6bSchristos
72*c9496f6bSchristos=back
73*c9496f6bSchristos
74*c9496f6bSchristos=head2 Cipher Feedback Mode (CFB)
75*c9496f6bSchristos
76*c9496f6bSchristosNormally, this is found as the function I<algorithm>_cfb_encrypt().
77*c9496f6bSchristos
78*c9496f6bSchristos=over 2
79*c9496f6bSchristos
80*c9496f6bSchristos=item *
81*c9496f6bSchristos
82*c9496f6bSchristosa number of bits (j) <= 64 are enciphered at a time.
83*c9496f6bSchristos
84*c9496f6bSchristos=item *
85*c9496f6bSchristos
86*c9496f6bSchristosThe CFB mode produces the same ciphertext whenever the same
87*c9496f6bSchristosplaintext is encrypted using the same key and starting variable.
88*c9496f6bSchristos
89*c9496f6bSchristos=item *
90*c9496f6bSchristos
91*c9496f6bSchristosThe chaining operation makes the ciphertext variables dependent on the
92*c9496f6bSchristoscurrent and all preceding variables and therefore j-bit variables are
93*c9496f6bSchristoschained together and can not be rearranged.
94*c9496f6bSchristos
95*c9496f6bSchristos=item *
96*c9496f6bSchristos
97*c9496f6bSchristosThe use of different starting variables prevents the same plaintext
98*c9496f6bSchristosenciphering to the same ciphertext.
99*c9496f6bSchristos
100*c9496f6bSchristos=item *
101*c9496f6bSchristos
102*c9496f6bSchristosThe strength of the CFB mode depends on the size of k (maximal if
103*c9496f6bSchristosj == k).  In my implementation this is always the case.
104*c9496f6bSchristos
105*c9496f6bSchristos=item *
106*c9496f6bSchristos
107*c9496f6bSchristosSelection of a small value for j will require more cycles through
108*c9496f6bSchristosthe encipherment algorithm per unit of plaintext and thus cause
109*c9496f6bSchristosgreater processing overheads.
110*c9496f6bSchristos
111*c9496f6bSchristos=item *
112*c9496f6bSchristos
113*c9496f6bSchristosOnly multiples of j bits can be enciphered.
114*c9496f6bSchristos
115*c9496f6bSchristos=item *
116*c9496f6bSchristos
117*c9496f6bSchristosAn error will affect the current and the following ciphertext variables.
118*c9496f6bSchristos
119*c9496f6bSchristos=back
120*c9496f6bSchristos
121*c9496f6bSchristos=head2 Output Feedback Mode (OFB)
122*c9496f6bSchristos
123*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ofb_encrypt().
124*c9496f6bSchristos
125*c9496f6bSchristos=over 2
126*c9496f6bSchristos
127*c9496f6bSchristos
128*c9496f6bSchristos=item *
129*c9496f6bSchristos
130*c9496f6bSchristosa number of bits (j) <= 64 are enciphered at a time.
131*c9496f6bSchristos
132*c9496f6bSchristos=item *
133*c9496f6bSchristos
134*c9496f6bSchristosThe OFB mode produces the same ciphertext whenever the same
135*c9496f6bSchristosplaintext enciphered using the same key and starting variable.  More
136*c9496f6bSchristosover, in the OFB mode the same key stream is produced when the same
137*c9496f6bSchristoskey and start variable are used.  Consequently, for security reasons
138*c9496f6bSchristosa specific start variable should be used only once for a given key.
139*c9496f6bSchristos
140*c9496f6bSchristos=item *
141*c9496f6bSchristos
142*c9496f6bSchristosThe absence of chaining makes the OFB more vulnerable to specific attacks.
143*c9496f6bSchristos
144*c9496f6bSchristos=item *
145*c9496f6bSchristos
146*c9496f6bSchristosThe use of different start variables values prevents the same
147*c9496f6bSchristosplaintext enciphering to the same ciphertext, by producing different
148*c9496f6bSchristoskey streams.
149*c9496f6bSchristos
150*c9496f6bSchristos=item *
151*c9496f6bSchristos
152*c9496f6bSchristosSelection of a small value for j will require more cycles through
153*c9496f6bSchristosthe encipherment algorithm per unit of plaintext and thus cause
154*c9496f6bSchristosgreater processing overheads.
155*c9496f6bSchristos
156*c9496f6bSchristos=item *
157*c9496f6bSchristos
158*c9496f6bSchristosOnly multiples of j bits can be enciphered.
159*c9496f6bSchristos
160*c9496f6bSchristos=item *
161*c9496f6bSchristos
162*c9496f6bSchristosOFB mode of operation does not extend ciphertext errors in the
163*c9496f6bSchristosresultant plaintext output.  Every bit error in the ciphertext causes
164*c9496f6bSchristosonly one bit to be in error in the deciphered plaintext.
165*c9496f6bSchristos
166*c9496f6bSchristos=item *
167*c9496f6bSchristos
168*c9496f6bSchristosOFB mode is not self-synchronizing.  If the two operation of
169*c9496f6bSchristosencipherment and decipherment get out of synchronism, the system needs
170*c9496f6bSchristosto be re-initialized.
171*c9496f6bSchristos
172*c9496f6bSchristos=item *
173*c9496f6bSchristos
174*c9496f6bSchristosEach re-initialization should use a value of the start variable
175*c9496f6bSchristosdifferent from the start variable values used before with the same
176*c9496f6bSchristoskey.  The reason for this is that an identical bit stream would be
177*c9496f6bSchristosproduced each time from the same parameters.  This would be
178*c9496f6bSchristossusceptible to a 'known plaintext' attack.
179*c9496f6bSchristos
180*c9496f6bSchristos=back
181*c9496f6bSchristos
182*c9496f6bSchristos=head2 Triple ECB Mode
183*c9496f6bSchristos
184*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ecb3_encrypt().
185*c9496f6bSchristos
186*c9496f6bSchristos=over 2
187*c9496f6bSchristos
188*c9496f6bSchristos=item *
189*c9496f6bSchristos
190*c9496f6bSchristosEncrypt with key1, decrypt with key2 and encrypt with key3 again.
191*c9496f6bSchristos
192*c9496f6bSchristos=item *
193*c9496f6bSchristos
194*c9496f6bSchristosAs for ECB encryption but increases the key length to 168 bits.
195*c9496f6bSchristosThere are theoretic attacks that can be used that make the effective
196*c9496f6bSchristoskey length 112 bits, but this attack also requires 2^56 blocks of
197*c9496f6bSchristosmemory, not very likely, even for the NSA.
198*c9496f6bSchristos
199*c9496f6bSchristos=item *
200*c9496f6bSchristos
201*c9496f6bSchristosIf both keys are the same it is equivalent to encrypting once with
202*c9496f6bSchristosjust one key.
203*c9496f6bSchristos
204*c9496f6bSchristos=item *
205*c9496f6bSchristos
206*c9496f6bSchristosIf the first and last key are the same, the key length is 112 bits.
207*c9496f6bSchristosThere are attacks that could reduce the effective key strength
208*c9496f6bSchristosto only slightly more than 56 bits, but these require a lot of memory.
209*c9496f6bSchristos
210*c9496f6bSchristos=item *
211*c9496f6bSchristos
212*c9496f6bSchristosIf all 3 keys are the same, this is effectively the same as normal
213*c9496f6bSchristosecb mode.
214*c9496f6bSchristos
215*c9496f6bSchristos=back
216*c9496f6bSchristos
217*c9496f6bSchristos=head2 Triple CBC Mode
218*c9496f6bSchristos
219*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ede3_cbc_encrypt().
220*c9496f6bSchristos
221*c9496f6bSchristos=over 2
222*c9496f6bSchristos
223*c9496f6bSchristos
224*c9496f6bSchristos=item *
225*c9496f6bSchristos
226*c9496f6bSchristosEncrypt with key1, decrypt with key2 and then encrypt with key3.
227*c9496f6bSchristos
228*c9496f6bSchristos=item *
229*c9496f6bSchristos
230*c9496f6bSchristosAs for CBC encryption but increases the key length to 168 bits with
231*c9496f6bSchristosthe same restrictions as for triple ecb mode.
232*c9496f6bSchristos
233*c9496f6bSchristos=back
234*c9496f6bSchristos
235*c9496f6bSchristos=head1 NOTES
236*c9496f6bSchristos
237*c9496f6bSchristosThis text was been written in large parts by Eric Young in his original
238*c9496f6bSchristosdocumentation for SSLeay, the predecessor of OpenSSL.  In turn, he attributed
239*c9496f6bSchristosit to:
240*c9496f6bSchristos
241*c9496f6bSchristos	AS 2805.5.2
242*c9496f6bSchristos	Australian Standard
243*c9496f6bSchristos	Electronic funds transfer - Requirements for interfaces,
244*c9496f6bSchristos	Part 5.2: Modes of operation for an n-bit block cipher algorithm
245*c9496f6bSchristos	Appendix A
246*c9496f6bSchristos
247*c9496f6bSchristos=head1 SEE ALSO
248*c9496f6bSchristos
249*c9496f6bSchristosL<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<idea(3)|idea(3)>,
250*c9496f6bSchristosL<rc2(3)|rc2(3)>
251*c9496f6bSchristos
252*c9496f6bSchristos=cut
253*c9496f6bSchristos
254