1*c9496f6bSchristos=pod 2*c9496f6bSchristos 3*c9496f6bSchristos=head1 NAME 4*c9496f6bSchristos 5*c9496f6bSchristosModes of DES - the variants of DES and other crypto algorithms of OpenSSL 6*c9496f6bSchristos 7*c9496f6bSchristos=head1 DESCRIPTION 8*c9496f6bSchristos 9*c9496f6bSchristosSeveral crypto algorithms for OpenSSL can be used in a number of modes. Those 10*c9496f6bSchristosare used for using block ciphers in a way similar to stream ciphers, among 11*c9496f6bSchristosother things. 12*c9496f6bSchristos 13*c9496f6bSchristos=head1 OVERVIEW 14*c9496f6bSchristos 15*c9496f6bSchristos=head2 Electronic Codebook Mode (ECB) 16*c9496f6bSchristos 17*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ecb_encrypt(). 18*c9496f6bSchristos 19*c9496f6bSchristos=over 2 20*c9496f6bSchristos 21*c9496f6bSchristos=item * 22*c9496f6bSchristos 23*c9496f6bSchristos64 bits are enciphered at a time. 24*c9496f6bSchristos 25*c9496f6bSchristos=item * 26*c9496f6bSchristos 27*c9496f6bSchristosThe order of the blocks can be rearranged without detection. 28*c9496f6bSchristos 29*c9496f6bSchristos=item * 30*c9496f6bSchristos 31*c9496f6bSchristosThe same plaintext block always produces the same ciphertext block 32*c9496f6bSchristos(for the same key) making it vulnerable to a 'dictionary attack'. 33*c9496f6bSchristos 34*c9496f6bSchristos=item * 35*c9496f6bSchristos 36*c9496f6bSchristosAn error will only affect one ciphertext block. 37*c9496f6bSchristos 38*c9496f6bSchristos=back 39*c9496f6bSchristos 40*c9496f6bSchristos=head2 Cipher Block Chaining Mode (CBC) 41*c9496f6bSchristos 42*c9496f6bSchristosNormally, this is found as the function I<algorithm>_cbc_encrypt(). 43*c9496f6bSchristosBe aware that des_cbc_encrypt() is not really DES CBC (it does 44*c9496f6bSchristosnot update the IV); use des_ncbc_encrypt() instead. 45*c9496f6bSchristos 46*c9496f6bSchristos=over 2 47*c9496f6bSchristos 48*c9496f6bSchristos=item * 49*c9496f6bSchristos 50*c9496f6bSchristosa multiple of 64 bits are enciphered at a time. 51*c9496f6bSchristos 52*c9496f6bSchristos=item * 53*c9496f6bSchristos 54*c9496f6bSchristosThe CBC mode produces the same ciphertext whenever the same 55*c9496f6bSchristosplaintext is encrypted using the same key and starting variable. 56*c9496f6bSchristos 57*c9496f6bSchristos=item * 58*c9496f6bSchristos 59*c9496f6bSchristosThe chaining operation makes the ciphertext blocks dependent on the 60*c9496f6bSchristoscurrent and all preceding plaintext blocks and therefore blocks can not 61*c9496f6bSchristosbe rearranged. 62*c9496f6bSchristos 63*c9496f6bSchristos=item * 64*c9496f6bSchristos 65*c9496f6bSchristosThe use of different starting variables prevents the same plaintext 66*c9496f6bSchristosenciphering to the same ciphertext. 67*c9496f6bSchristos 68*c9496f6bSchristos=item * 69*c9496f6bSchristos 70*c9496f6bSchristosAn error will affect the current and the following ciphertext blocks. 71*c9496f6bSchristos 72*c9496f6bSchristos=back 73*c9496f6bSchristos 74*c9496f6bSchristos=head2 Cipher Feedback Mode (CFB) 75*c9496f6bSchristos 76*c9496f6bSchristosNormally, this is found as the function I<algorithm>_cfb_encrypt(). 77*c9496f6bSchristos 78*c9496f6bSchristos=over 2 79*c9496f6bSchristos 80*c9496f6bSchristos=item * 81*c9496f6bSchristos 82*c9496f6bSchristosa number of bits (j) <= 64 are enciphered at a time. 83*c9496f6bSchristos 84*c9496f6bSchristos=item * 85*c9496f6bSchristos 86*c9496f6bSchristosThe CFB mode produces the same ciphertext whenever the same 87*c9496f6bSchristosplaintext is encrypted using the same key and starting variable. 88*c9496f6bSchristos 89*c9496f6bSchristos=item * 90*c9496f6bSchristos 91*c9496f6bSchristosThe chaining operation makes the ciphertext variables dependent on the 92*c9496f6bSchristoscurrent and all preceding variables and therefore j-bit variables are 93*c9496f6bSchristoschained together and can not be rearranged. 94*c9496f6bSchristos 95*c9496f6bSchristos=item * 96*c9496f6bSchristos 97*c9496f6bSchristosThe use of different starting variables prevents the same plaintext 98*c9496f6bSchristosenciphering to the same ciphertext. 99*c9496f6bSchristos 100*c9496f6bSchristos=item * 101*c9496f6bSchristos 102*c9496f6bSchristosThe strength of the CFB mode depends on the size of k (maximal if 103*c9496f6bSchristosj == k). In my implementation this is always the case. 104*c9496f6bSchristos 105*c9496f6bSchristos=item * 106*c9496f6bSchristos 107*c9496f6bSchristosSelection of a small value for j will require more cycles through 108*c9496f6bSchristosthe encipherment algorithm per unit of plaintext and thus cause 109*c9496f6bSchristosgreater processing overheads. 110*c9496f6bSchristos 111*c9496f6bSchristos=item * 112*c9496f6bSchristos 113*c9496f6bSchristosOnly multiples of j bits can be enciphered. 114*c9496f6bSchristos 115*c9496f6bSchristos=item * 116*c9496f6bSchristos 117*c9496f6bSchristosAn error will affect the current and the following ciphertext variables. 118*c9496f6bSchristos 119*c9496f6bSchristos=back 120*c9496f6bSchristos 121*c9496f6bSchristos=head2 Output Feedback Mode (OFB) 122*c9496f6bSchristos 123*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ofb_encrypt(). 124*c9496f6bSchristos 125*c9496f6bSchristos=over 2 126*c9496f6bSchristos 127*c9496f6bSchristos 128*c9496f6bSchristos=item * 129*c9496f6bSchristos 130*c9496f6bSchristosa number of bits (j) <= 64 are enciphered at a time. 131*c9496f6bSchristos 132*c9496f6bSchristos=item * 133*c9496f6bSchristos 134*c9496f6bSchristosThe OFB mode produces the same ciphertext whenever the same 135*c9496f6bSchristosplaintext enciphered using the same key and starting variable. More 136*c9496f6bSchristosover, in the OFB mode the same key stream is produced when the same 137*c9496f6bSchristoskey and start variable are used. Consequently, for security reasons 138*c9496f6bSchristosa specific start variable should be used only once for a given key. 139*c9496f6bSchristos 140*c9496f6bSchristos=item * 141*c9496f6bSchristos 142*c9496f6bSchristosThe absence of chaining makes the OFB more vulnerable to specific attacks. 143*c9496f6bSchristos 144*c9496f6bSchristos=item * 145*c9496f6bSchristos 146*c9496f6bSchristosThe use of different start variables values prevents the same 147*c9496f6bSchristosplaintext enciphering to the same ciphertext, by producing different 148*c9496f6bSchristoskey streams. 149*c9496f6bSchristos 150*c9496f6bSchristos=item * 151*c9496f6bSchristos 152*c9496f6bSchristosSelection of a small value for j will require more cycles through 153*c9496f6bSchristosthe encipherment algorithm per unit of plaintext and thus cause 154*c9496f6bSchristosgreater processing overheads. 155*c9496f6bSchristos 156*c9496f6bSchristos=item * 157*c9496f6bSchristos 158*c9496f6bSchristosOnly multiples of j bits can be enciphered. 159*c9496f6bSchristos 160*c9496f6bSchristos=item * 161*c9496f6bSchristos 162*c9496f6bSchristosOFB mode of operation does not extend ciphertext errors in the 163*c9496f6bSchristosresultant plaintext output. Every bit error in the ciphertext causes 164*c9496f6bSchristosonly one bit to be in error in the deciphered plaintext. 165*c9496f6bSchristos 166*c9496f6bSchristos=item * 167*c9496f6bSchristos 168*c9496f6bSchristosOFB mode is not self-synchronizing. If the two operation of 169*c9496f6bSchristosencipherment and decipherment get out of synchronism, the system needs 170*c9496f6bSchristosto be re-initialized. 171*c9496f6bSchristos 172*c9496f6bSchristos=item * 173*c9496f6bSchristos 174*c9496f6bSchristosEach re-initialization should use a value of the start variable 175*c9496f6bSchristosdifferent from the start variable values used before with the same 176*c9496f6bSchristoskey. The reason for this is that an identical bit stream would be 177*c9496f6bSchristosproduced each time from the same parameters. This would be 178*c9496f6bSchristossusceptible to a 'known plaintext' attack. 179*c9496f6bSchristos 180*c9496f6bSchristos=back 181*c9496f6bSchristos 182*c9496f6bSchristos=head2 Triple ECB Mode 183*c9496f6bSchristos 184*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ecb3_encrypt(). 185*c9496f6bSchristos 186*c9496f6bSchristos=over 2 187*c9496f6bSchristos 188*c9496f6bSchristos=item * 189*c9496f6bSchristos 190*c9496f6bSchristosEncrypt with key1, decrypt with key2 and encrypt with key3 again. 191*c9496f6bSchristos 192*c9496f6bSchristos=item * 193*c9496f6bSchristos 194*c9496f6bSchristosAs for ECB encryption but increases the key length to 168 bits. 195*c9496f6bSchristosThere are theoretic attacks that can be used that make the effective 196*c9496f6bSchristoskey length 112 bits, but this attack also requires 2^56 blocks of 197*c9496f6bSchristosmemory, not very likely, even for the NSA. 198*c9496f6bSchristos 199*c9496f6bSchristos=item * 200*c9496f6bSchristos 201*c9496f6bSchristosIf both keys are the same it is equivalent to encrypting once with 202*c9496f6bSchristosjust one key. 203*c9496f6bSchristos 204*c9496f6bSchristos=item * 205*c9496f6bSchristos 206*c9496f6bSchristosIf the first and last key are the same, the key length is 112 bits. 207*c9496f6bSchristosThere are attacks that could reduce the effective key strength 208*c9496f6bSchristosto only slightly more than 56 bits, but these require a lot of memory. 209*c9496f6bSchristos 210*c9496f6bSchristos=item * 211*c9496f6bSchristos 212*c9496f6bSchristosIf all 3 keys are the same, this is effectively the same as normal 213*c9496f6bSchristosecb mode. 214*c9496f6bSchristos 215*c9496f6bSchristos=back 216*c9496f6bSchristos 217*c9496f6bSchristos=head2 Triple CBC Mode 218*c9496f6bSchristos 219*c9496f6bSchristosNormally, this is found as the function I<algorithm>_ede3_cbc_encrypt(). 220*c9496f6bSchristos 221*c9496f6bSchristos=over 2 222*c9496f6bSchristos 223*c9496f6bSchristos 224*c9496f6bSchristos=item * 225*c9496f6bSchristos 226*c9496f6bSchristosEncrypt with key1, decrypt with key2 and then encrypt with key3. 227*c9496f6bSchristos 228*c9496f6bSchristos=item * 229*c9496f6bSchristos 230*c9496f6bSchristosAs for CBC encryption but increases the key length to 168 bits with 231*c9496f6bSchristosthe same restrictions as for triple ecb mode. 232*c9496f6bSchristos 233*c9496f6bSchristos=back 234*c9496f6bSchristos 235*c9496f6bSchristos=head1 NOTES 236*c9496f6bSchristos 237*c9496f6bSchristosThis text was been written in large parts by Eric Young in his original 238*c9496f6bSchristosdocumentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed 239*c9496f6bSchristosit to: 240*c9496f6bSchristos 241*c9496f6bSchristos AS 2805.5.2 242*c9496f6bSchristos Australian Standard 243*c9496f6bSchristos Electronic funds transfer - Requirements for interfaces, 244*c9496f6bSchristos Part 5.2: Modes of operation for an n-bit block cipher algorithm 245*c9496f6bSchristos Appendix A 246*c9496f6bSchristos 247*c9496f6bSchristos=head1 SEE ALSO 248*c9496f6bSchristos 249*c9496f6bSchristosL<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<idea(3)|idea(3)>, 250*c9496f6bSchristosL<rc2(3)|rc2(3)> 251*c9496f6bSchristos 252*c9496f6bSchristos=cut 253*c9496f6bSchristos 254