1*0Sstevel@tonic-gate=pod 2*0Sstevel@tonic-gate 3*0Sstevel@tonic-gate=head1 NAME 4*0Sstevel@tonic-gate 5*0Sstevel@tonic-gatedes - encrypt or decrypt data using Data Encryption Standard 6*0Sstevel@tonic-gate 7*0Sstevel@tonic-gate=head1 SYNOPSIS 8*0Sstevel@tonic-gate 9*0Sstevel@tonic-gateB<des> 10*0Sstevel@tonic-gate( 11*0Sstevel@tonic-gateB<-e> 12*0Sstevel@tonic-gate| 13*0Sstevel@tonic-gateB<-E> 14*0Sstevel@tonic-gate) | ( 15*0Sstevel@tonic-gateB<-d> 16*0Sstevel@tonic-gate| 17*0Sstevel@tonic-gateB<-D> 18*0Sstevel@tonic-gate) | ( 19*0Sstevel@tonic-gateB<->[B<cC>][B<ckname>] 20*0Sstevel@tonic-gate) | 21*0Sstevel@tonic-gate[ 22*0Sstevel@tonic-gateB<-b3hfs> 23*0Sstevel@tonic-gate] [ 24*0Sstevel@tonic-gateB<-k> 25*0Sstevel@tonic-gateI<key> 26*0Sstevel@tonic-gate] 27*0Sstevel@tonic-gate] [ 28*0Sstevel@tonic-gateB<-u>[I<uuname>] 29*0Sstevel@tonic-gate[ 30*0Sstevel@tonic-gateI<input-file> 31*0Sstevel@tonic-gate[ 32*0Sstevel@tonic-gateI<output-file> 33*0Sstevel@tonic-gate] ] 34*0Sstevel@tonic-gate 35*0Sstevel@tonic-gate=head1 NOTE 36*0Sstevel@tonic-gate 37*0Sstevel@tonic-gateThis page describes the B<des> stand-alone program, not the B<openssl des> 38*0Sstevel@tonic-gatecommand. 39*0Sstevel@tonic-gate 40*0Sstevel@tonic-gate=head1 DESCRIPTION 41*0Sstevel@tonic-gate 42*0Sstevel@tonic-gateB<des> 43*0Sstevel@tonic-gateencrypts and decrypts data using the 44*0Sstevel@tonic-gateData Encryption Standard algorithm. 45*0Sstevel@tonic-gateOne of 46*0Sstevel@tonic-gateB<-e>, B<-E> 47*0Sstevel@tonic-gate(for encrypt) or 48*0Sstevel@tonic-gateB<-d>, B<-D> 49*0Sstevel@tonic-gate(for decrypt) must be specified. 50*0Sstevel@tonic-gateIt is also possible to use 51*0Sstevel@tonic-gateB<-c> 52*0Sstevel@tonic-gateor 53*0Sstevel@tonic-gateB<-C> 54*0Sstevel@tonic-gatein conjunction or instead of the a encrypt/decrypt option to generate 55*0Sstevel@tonic-gatea 16 character hexadecimal checksum, generated via the 56*0Sstevel@tonic-gateI<des_cbc_cksum>. 57*0Sstevel@tonic-gate 58*0Sstevel@tonic-gateTwo standard encryption modes are supported by the 59*0Sstevel@tonic-gateB<des> 60*0Sstevel@tonic-gateprogram, Cipher Block Chaining (the default) and Electronic Code Book 61*0Sstevel@tonic-gate(specified with 62*0Sstevel@tonic-gateB<-b>). 63*0Sstevel@tonic-gate 64*0Sstevel@tonic-gateThe key used for the DES 65*0Sstevel@tonic-gatealgorithm is obtained by prompting the user unless the 66*0Sstevel@tonic-gateB<-k> 67*0Sstevel@tonic-gateI<key> 68*0Sstevel@tonic-gateoption is given. 69*0Sstevel@tonic-gateIf the key is an argument to the 70*0Sstevel@tonic-gateB<des> 71*0Sstevel@tonic-gatecommand, it is potentially visible to users executing 72*0Sstevel@tonic-gateps(1) 73*0Sstevel@tonic-gateor a derivative. To minimise this possibility, 74*0Sstevel@tonic-gateB<des> 75*0Sstevel@tonic-gatetakes care to destroy the key argument immediately upon entry. 76*0Sstevel@tonic-gateIf your shell keeps a history file be careful to make sure it is not 77*0Sstevel@tonic-gateworld readable. 78*0Sstevel@tonic-gate 79*0Sstevel@tonic-gateSince this program attempts to maintain compatibility with sunOS's 80*0Sstevel@tonic-gatedes(1) command, there are 2 different methods used to convert the user 81*0Sstevel@tonic-gatesupplied key to a des key. 82*0Sstevel@tonic-gateWhenever and one or more of 83*0Sstevel@tonic-gateB<-E>, B<-D>, B<-C> 84*0Sstevel@tonic-gateor 85*0Sstevel@tonic-gateB<-3> 86*0Sstevel@tonic-gateoptions are used, the key conversion procedure will not be compatible 87*0Sstevel@tonic-gatewith the sunOS des(1) version but will use all the user supplied 88*0Sstevel@tonic-gatecharacter to generate the des key. 89*0Sstevel@tonic-gateB<des> 90*0Sstevel@tonic-gatecommand reads from standard input unless 91*0Sstevel@tonic-gateI<input-file> 92*0Sstevel@tonic-gateis specified and writes to standard output unless 93*0Sstevel@tonic-gateI<output-file> 94*0Sstevel@tonic-gateis given. 95*0Sstevel@tonic-gate 96*0Sstevel@tonic-gate=head1 OPTIONS 97*0Sstevel@tonic-gate 98*0Sstevel@tonic-gate=over 4 99*0Sstevel@tonic-gate 100*0Sstevel@tonic-gate=item B<-b> 101*0Sstevel@tonic-gate 102*0Sstevel@tonic-gateSelect ECB 103*0Sstevel@tonic-gate(eight bytes at a time) encryption mode. 104*0Sstevel@tonic-gate 105*0Sstevel@tonic-gate=item B<-3> 106*0Sstevel@tonic-gate 107*0Sstevel@tonic-gateEncrypt using triple encryption. 108*0Sstevel@tonic-gateBy default triple cbc encryption is used but if the 109*0Sstevel@tonic-gateB<-b> 110*0Sstevel@tonic-gateoption is used then triple ECB encryption is performed. 111*0Sstevel@tonic-gateIf the key is less than 8 characters long, the flag has no effect. 112*0Sstevel@tonic-gate 113*0Sstevel@tonic-gate=item B<-e> 114*0Sstevel@tonic-gate 115*0Sstevel@tonic-gateEncrypt data using an 8 byte key in a manner compatible with sunOS 116*0Sstevel@tonic-gatedes(1). 117*0Sstevel@tonic-gate 118*0Sstevel@tonic-gate=item B<-E> 119*0Sstevel@tonic-gate 120*0Sstevel@tonic-gateEncrypt data using a key of nearly unlimited length (1024 bytes). 121*0Sstevel@tonic-gateThis will product a more secure encryption. 122*0Sstevel@tonic-gate 123*0Sstevel@tonic-gate=item B<-d> 124*0Sstevel@tonic-gate 125*0Sstevel@tonic-gateDecrypt data that was encrypted with the B<-e> option. 126*0Sstevel@tonic-gate 127*0Sstevel@tonic-gate=item B<-D> 128*0Sstevel@tonic-gate 129*0Sstevel@tonic-gateDecrypt data that was encrypted with the B<-E> option. 130*0Sstevel@tonic-gate 131*0Sstevel@tonic-gate=item B<-c> 132*0Sstevel@tonic-gate 133*0Sstevel@tonic-gateGenerate a 16 character hexadecimal cbc checksum and output this to 134*0Sstevel@tonic-gatestderr. 135*0Sstevel@tonic-gateIf a filename was specified after the 136*0Sstevel@tonic-gateB<-c> 137*0Sstevel@tonic-gateoption, the checksum is output to that file. 138*0Sstevel@tonic-gateThe checksum is generated using a key generated in a sunOS compatible 139*0Sstevel@tonic-gatemanner. 140*0Sstevel@tonic-gate 141*0Sstevel@tonic-gate=item B<-C> 142*0Sstevel@tonic-gate 143*0Sstevel@tonic-gateA cbc checksum is generated in the same manner as described for the 144*0Sstevel@tonic-gateB<-c> 145*0Sstevel@tonic-gateoption but the DES key is generated in the same manner as used for the 146*0Sstevel@tonic-gateB<-E> 147*0Sstevel@tonic-gateand 148*0Sstevel@tonic-gateB<-D> 149*0Sstevel@tonic-gateoptions 150*0Sstevel@tonic-gate 151*0Sstevel@tonic-gate=item B<-f> 152*0Sstevel@tonic-gate 153*0Sstevel@tonic-gateDoes nothing - allowed for compatibility with sunOS des(1) command. 154*0Sstevel@tonic-gate 155*0Sstevel@tonic-gate=item B<-s> 156*0Sstevel@tonic-gate 157*0Sstevel@tonic-gateDoes nothing - allowed for compatibility with sunOS des(1) command. 158*0Sstevel@tonic-gate 159*0Sstevel@tonic-gate=item B<-k> I<key> 160*0Sstevel@tonic-gate 161*0Sstevel@tonic-gateUse the encryption 162*0Sstevel@tonic-gateI<key> 163*0Sstevel@tonic-gatespecified. 164*0Sstevel@tonic-gate 165*0Sstevel@tonic-gate=item B<-h> 166*0Sstevel@tonic-gate 167*0Sstevel@tonic-gateThe 168*0Sstevel@tonic-gateI<key> 169*0Sstevel@tonic-gateis assumed to be a 16 character hexadecimal number. 170*0Sstevel@tonic-gateIf the 171*0Sstevel@tonic-gateB<-3> 172*0Sstevel@tonic-gateoption is used the key is assumed to be a 32 character hexadecimal 173*0Sstevel@tonic-gatenumber. 174*0Sstevel@tonic-gate 175*0Sstevel@tonic-gate=item B<-u> 176*0Sstevel@tonic-gate 177*0Sstevel@tonic-gateThis flag is used to read and write uuencoded files. If decrypting, 178*0Sstevel@tonic-gatethe input file is assumed to contain uuencoded, DES encrypted data. 179*0Sstevel@tonic-gateIf encrypting, the characters following the B<-u> are used as the name of 180*0Sstevel@tonic-gatethe uuencoded file to embed in the begin line of the uuencoded 181*0Sstevel@tonic-gateoutput. If there is no name specified after the B<-u>, the name text.des 182*0Sstevel@tonic-gatewill be embedded in the header. 183*0Sstevel@tonic-gate 184*0Sstevel@tonic-gate=head1 SEE ALSO 185*0Sstevel@tonic-gate 186*0Sstevel@tonic-gateps(1), 187*0Sstevel@tonic-gateL<des_crypt(3)|des_crypt(3)> 188*0Sstevel@tonic-gate 189*0Sstevel@tonic-gate=head1 BUGS 190*0Sstevel@tonic-gate 191*0Sstevel@tonic-gateThe problem with using the 192*0Sstevel@tonic-gateB<-e> 193*0Sstevel@tonic-gateoption is the short key length. 194*0Sstevel@tonic-gateIt would be better to use a real 56-bit key rather than an 195*0Sstevel@tonic-gateASCII-based 56-bit pattern. Knowing that the key was derived from ASCII 196*0Sstevel@tonic-gateradically reduces the time necessary for a brute-force cryptographic attack. 197*0Sstevel@tonic-gateMy attempt to remove this problem is to add an alternative text-key to 198*0Sstevel@tonic-gateDES-key function. This alternative function (accessed via 199*0Sstevel@tonic-gateB<-E>, B<-D>, B<-S> 200*0Sstevel@tonic-gateand 201*0Sstevel@tonic-gateB<-3>) 202*0Sstevel@tonic-gateuses DES to help generate the key. 203*0Sstevel@tonic-gate 204*0Sstevel@tonic-gateBe carefully when using the B<-u> option. Doing B<des -ud> I<filename> will 205*0Sstevel@tonic-gatenot decrypt filename (the B<-u> option will gobble the B<-d> option). 206*0Sstevel@tonic-gate 207*0Sstevel@tonic-gateThe VMS operating system operates in a world where files are always a 208*0Sstevel@tonic-gatemultiple of 512 bytes. This causes problems when encrypted data is 209*0Sstevel@tonic-gatesend from Unix to VMS since a 88 byte file will suddenly be padded 210*0Sstevel@tonic-gatewith 424 null bytes. To get around this problem, use the B<-u> option 211*0Sstevel@tonic-gateto uuencode the data before it is send to the VMS system. 212*0Sstevel@tonic-gate 213*0Sstevel@tonic-gate=head1 AUTHOR 214*0Sstevel@tonic-gate 215*0Sstevel@tonic-gateEric Young (eay@cryptsoft.com) 216*0Sstevel@tonic-gate 217*0Sstevel@tonic-gate=cut 218