1*4724848cSchristos=pod 2*4724848cSchristos 3*4724848cSchristos=head1 NAME 4*4724848cSchristos 5*4724848cSchristosdes_modes - the variants of DES and other crypto algorithms of OpenSSL 6*4724848cSchristos 7*4724848cSchristos=head1 DESCRIPTION 8*4724848cSchristos 9*4724848cSchristosSeveral crypto algorithms for OpenSSL can be used in a number of modes. Those 10*4724848cSchristosare used for using block ciphers in a way similar to stream ciphers, among 11*4724848cSchristosother things. 12*4724848cSchristos 13*4724848cSchristos=head1 OVERVIEW 14*4724848cSchristos 15*4724848cSchristos=head2 Electronic Codebook Mode (ECB) 16*4724848cSchristos 17*4724848cSchristosNormally, this is found as the function I<algorithm>_ecb_encrypt(). 18*4724848cSchristos 19*4724848cSchristos=over 2 20*4724848cSchristos 21*4724848cSchristos=item * 22*4724848cSchristos 23*4724848cSchristos64 bits are enciphered at a time. 24*4724848cSchristos 25*4724848cSchristos=item * 26*4724848cSchristos 27*4724848cSchristosThe order of the blocks can be rearranged without detection. 28*4724848cSchristos 29*4724848cSchristos=item * 30*4724848cSchristos 31*4724848cSchristosThe same plaintext block always produces the same ciphertext block 32*4724848cSchristos(for the same key) making it vulnerable to a 'dictionary attack'. 33*4724848cSchristos 34*4724848cSchristos=item * 35*4724848cSchristos 36*4724848cSchristosAn error will only affect one ciphertext block. 37*4724848cSchristos 38*4724848cSchristos=back 39*4724848cSchristos 40*4724848cSchristos=head2 Cipher Block Chaining Mode (CBC) 41*4724848cSchristos 42*4724848cSchristosNormally, this is found as the function I<algorithm>_cbc_encrypt(). 43*4724848cSchristosBe aware that des_cbc_encrypt() is not really DES CBC (it does 44*4724848cSchristosnot update the IV); use des_ncbc_encrypt() instead. 45*4724848cSchristos 46*4724848cSchristos=over 2 47*4724848cSchristos 48*4724848cSchristos=item * 49*4724848cSchristos 50*4724848cSchristosa multiple of 64 bits are enciphered at a time. 51*4724848cSchristos 52*4724848cSchristos=item * 53*4724848cSchristos 54*4724848cSchristosThe CBC mode produces the same ciphertext whenever the same 55*4724848cSchristosplaintext is encrypted using the same key and starting variable. 56*4724848cSchristos 57*4724848cSchristos=item * 58*4724848cSchristos 59*4724848cSchristosThe chaining operation makes the ciphertext blocks dependent on the 60*4724848cSchristoscurrent and all preceding plaintext blocks and therefore blocks can not 61*4724848cSchristosbe rearranged. 62*4724848cSchristos 63*4724848cSchristos=item * 64*4724848cSchristos 65*4724848cSchristosThe use of different starting variables prevents the same plaintext 66*4724848cSchristosenciphering to the same ciphertext. 67*4724848cSchristos 68*4724848cSchristos=item * 69*4724848cSchristos 70*4724848cSchristosAn error will affect the current and the following ciphertext blocks. 71*4724848cSchristos 72*4724848cSchristos=back 73*4724848cSchristos 74*4724848cSchristos=head2 Cipher Feedback Mode (CFB) 75*4724848cSchristos 76*4724848cSchristosNormally, this is found as the function I<algorithm>_cfb_encrypt(). 77*4724848cSchristos 78*4724848cSchristos=over 2 79*4724848cSchristos 80*4724848cSchristos=item * 81*4724848cSchristos 82*4724848cSchristosa number of bits (j) <= 64 are enciphered at a time. 83*4724848cSchristos 84*4724848cSchristos=item * 85*4724848cSchristos 86*4724848cSchristosThe CFB mode produces the same ciphertext whenever the same 87*4724848cSchristosplaintext is encrypted using the same key and starting variable. 88*4724848cSchristos 89*4724848cSchristos=item * 90*4724848cSchristos 91*4724848cSchristosThe chaining operation makes the ciphertext variables dependent on the 92*4724848cSchristoscurrent and all preceding variables and therefore j-bit variables are 93*4724848cSchristoschained together and can not be rearranged. 94*4724848cSchristos 95*4724848cSchristos=item * 96*4724848cSchristos 97*4724848cSchristosThe use of different starting variables prevents the same plaintext 98*4724848cSchristosenciphering to the same ciphertext. 99*4724848cSchristos 100*4724848cSchristos=item * 101*4724848cSchristos 102*4724848cSchristosThe strength of the CFB mode depends on the size of k (maximal if 103*4724848cSchristosj == k). In my implementation this is always the case. 104*4724848cSchristos 105*4724848cSchristos=item * 106*4724848cSchristos 107*4724848cSchristosSelection of a small value for j will require more cycles through 108*4724848cSchristosthe encipherment algorithm per unit of plaintext and thus cause 109*4724848cSchristosgreater processing overheads. 110*4724848cSchristos 111*4724848cSchristos=item * 112*4724848cSchristos 113*4724848cSchristosOnly multiples of j bits can be enciphered. 114*4724848cSchristos 115*4724848cSchristos=item * 116*4724848cSchristos 117*4724848cSchristosAn error will affect the current and the following ciphertext variables. 118*4724848cSchristos 119*4724848cSchristos=back 120*4724848cSchristos 121*4724848cSchristos=head2 Output Feedback Mode (OFB) 122*4724848cSchristos 123*4724848cSchristosNormally, this is found as the function I<algorithm>_ofb_encrypt(). 124*4724848cSchristos 125*4724848cSchristos=over 2 126*4724848cSchristos 127*4724848cSchristos=item * 128*4724848cSchristos 129*4724848cSchristosa number of bits (j) <= 64 are enciphered at a time. 130*4724848cSchristos 131*4724848cSchristos=item * 132*4724848cSchristos 133*4724848cSchristosThe OFB mode produces the same ciphertext whenever the same 134*4724848cSchristosplaintext enciphered using the same key and starting variable. More 135*4724848cSchristosover, in the OFB mode the same key stream is produced when the same 136*4724848cSchristoskey and start variable are used. Consequently, for security reasons 137*4724848cSchristosa specific start variable should be used only once for a given key. 138*4724848cSchristos 139*4724848cSchristos=item * 140*4724848cSchristos 141*4724848cSchristosThe absence of chaining makes the OFB more vulnerable to specific attacks. 142*4724848cSchristos 143*4724848cSchristos=item * 144*4724848cSchristos 145*4724848cSchristosThe use of different start variables values prevents the same 146*4724848cSchristosplaintext enciphering to the same ciphertext, by producing different 147*4724848cSchristoskey streams. 148*4724848cSchristos 149*4724848cSchristos=item * 150*4724848cSchristos 151*4724848cSchristosSelection of a small value for j will require more cycles through 152*4724848cSchristosthe encipherment algorithm per unit of plaintext and thus cause 153*4724848cSchristosgreater processing overheads. 154*4724848cSchristos 155*4724848cSchristos=item * 156*4724848cSchristos 157*4724848cSchristosOnly multiples of j bits can be enciphered. 158*4724848cSchristos 159*4724848cSchristos=item * 160*4724848cSchristos 161*4724848cSchristosOFB mode of operation does not extend ciphertext errors in the 162*4724848cSchristosresultant plaintext output. Every bit error in the ciphertext causes 163*4724848cSchristosonly one bit to be in error in the deciphered plaintext. 164*4724848cSchristos 165*4724848cSchristos=item * 166*4724848cSchristos 167*4724848cSchristosOFB mode is not self-synchronizing. If the two operation of 168*4724848cSchristosencipherment and decipherment get out of synchronism, the system needs 169*4724848cSchristosto be re-initialized. 170*4724848cSchristos 171*4724848cSchristos=item * 172*4724848cSchristos 173*4724848cSchristosEach re-initialization should use a value of the start variable 174*4724848cSchristosdifferent from the start variable values used before with the same 175*4724848cSchristoskey. The reason for this is that an identical bit stream would be 176*4724848cSchristosproduced each time from the same parameters. This would be 177*4724848cSchristossusceptible to a 'known plaintext' attack. 178*4724848cSchristos 179*4724848cSchristos=back 180*4724848cSchristos 181*4724848cSchristos=head2 Triple ECB Mode 182*4724848cSchristos 183*4724848cSchristosNormally, this is found as the function I<algorithm>_ecb3_encrypt(). 184*4724848cSchristos 185*4724848cSchristos=over 2 186*4724848cSchristos 187*4724848cSchristos=item * 188*4724848cSchristos 189*4724848cSchristosEncrypt with key1, decrypt with key2 and encrypt with key3 again. 190*4724848cSchristos 191*4724848cSchristos=item * 192*4724848cSchristos 193*4724848cSchristosAs for ECB encryption but increases the key length to 168 bits. 194*4724848cSchristosThere are theoretic attacks that can be used that make the effective 195*4724848cSchristoskey length 112 bits, but this attack also requires 2^56 blocks of 196*4724848cSchristosmemory, not very likely, even for the NSA. 197*4724848cSchristos 198*4724848cSchristos=item * 199*4724848cSchristos 200*4724848cSchristosIf both keys are the same it is equivalent to encrypting once with 201*4724848cSchristosjust one key. 202*4724848cSchristos 203*4724848cSchristos=item * 204*4724848cSchristos 205*4724848cSchristosIf the first and last key are the same, the key length is 112 bits. 206*4724848cSchristosThere are attacks that could reduce the effective key strength 207*4724848cSchristosto only slightly more than 56 bits, but these require a lot of memory. 208*4724848cSchristos 209*4724848cSchristos=item * 210*4724848cSchristos 211*4724848cSchristosIf all 3 keys are the same, this is effectively the same as normal 212*4724848cSchristosecb mode. 213*4724848cSchristos 214*4724848cSchristos=back 215*4724848cSchristos 216*4724848cSchristos=head2 Triple CBC Mode 217*4724848cSchristos 218*4724848cSchristosNormally, this is found as the function I<algorithm>_ede3_cbc_encrypt(). 219*4724848cSchristos 220*4724848cSchristos=over 2 221*4724848cSchristos 222*4724848cSchristos=item * 223*4724848cSchristos 224*4724848cSchristosEncrypt with key1, decrypt with key2 and then encrypt with key3. 225*4724848cSchristos 226*4724848cSchristos=item * 227*4724848cSchristos 228*4724848cSchristosAs for CBC encryption but increases the key length to 168 bits with 229*4724848cSchristosthe same restrictions as for triple ecb mode. 230*4724848cSchristos 231*4724848cSchristos=back 232*4724848cSchristos 233*4724848cSchristos=head1 NOTES 234*4724848cSchristos 235*4724848cSchristosThis text was been written in large parts by Eric Young in his original 236*4724848cSchristosdocumentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed 237*4724848cSchristosit to: 238*4724848cSchristos 239*4724848cSchristos AS 2805.5.2 240*4724848cSchristos Australian Standard 241*4724848cSchristos Electronic funds transfer - Requirements for interfaces, 242*4724848cSchristos Part 5.2: Modes of operation for an n-bit block cipher algorithm 243*4724848cSchristos Appendix A 244*4724848cSchristos 245*4724848cSchristos=head1 SEE ALSO 246*4724848cSchristos 247*4724848cSchristosL<BF_encrypt(3)>, L<DES_crypt(3)> 248*4724848cSchristos 249*4724848cSchristos=head1 COPYRIGHT 250*4724848cSchristos 251*4724848cSchristosCopyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. 252*4724848cSchristos 253*4724848cSchristosLicensed under the OpenSSL license (the "License"). You may not use 254*4724848cSchristosthis file except in compliance with the License. You can obtain a copy 255*4724848cSchristosin the file LICENSE in the source distribution or at 256*4724848cSchristosL<https://www.openssl.org/source/license.html>. 257*4724848cSchristos 258*4724848cSchristos=cut 259