mirror of
https://github.com/openssl/openssl.git
synced 2024-11-27 05:21:51 +08:00
218 lines
4.7 KiB
Plaintext
218 lines
4.7 KiB
Plaintext
=pod
|
|
|
|
=head1 NAME
|
|
|
|
des - encrypt or decrypt data using Data Encryption Standard
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
B<des>
|
|
(
|
|
B<-e>
|
|
|
|
|
B<-E>
|
|
) | (
|
|
B<-d>
|
|
|
|
|
B<-D>
|
|
) | (
|
|
B<->[B<cC>][B<ckname>]
|
|
) |
|
|
[
|
|
B<-b3hfs>
|
|
] [
|
|
B<-k>
|
|
I<key>
|
|
]
|
|
] [
|
|
B<-u>[I<uuname>]
|
|
[
|
|
I<input-file>
|
|
[
|
|
I<output-file>
|
|
] ]
|
|
|
|
=head1 NOTE
|
|
|
|
This page describes the B<des> stand-alone program, not the B<openssl des>
|
|
command.
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<des>
|
|
encrypts and decrypts data using the
|
|
Data Encryption Standard algorithm.
|
|
One of
|
|
B<-e>, B<-E>
|
|
(for encrypt) or
|
|
B<-d>, B<-D>
|
|
(for decrypt) must be specified.
|
|
It is also possible to use
|
|
B<-c>
|
|
or
|
|
B<-C>
|
|
in conjunction or instead of the a encrypt/decrypt option to generate
|
|
a 16 character hexadecimal checksum, generated via the
|
|
I<des_cbc_cksum>.
|
|
|
|
Two standard encryption modes are supported by the
|
|
B<des>
|
|
program, Cipher Block Chaining (the default) and Electronic Code Book
|
|
(specified with
|
|
B<-b>).
|
|
|
|
The key used for the DES
|
|
algorithm is obtained by prompting the user unless the
|
|
B<-k>
|
|
I<key>
|
|
option is given.
|
|
If the key is an argument to the
|
|
B<des>
|
|
command, it is potentially visible to users executing
|
|
ps(1)
|
|
or a derivative. To minimise this possibility,
|
|
B<des>
|
|
takes care to destroy the key argument immediately upon entry.
|
|
If your shell keeps a history file be careful to make sure it is not
|
|
world readable.
|
|
|
|
Since this program attempts to maintain compatibility with sunOS's
|
|
des(1) command, there are 2 different methods used to convert the user
|
|
supplied key to a des key.
|
|
Whenever and one or more of
|
|
B<-E>, B<-D>, B<-C>
|
|
or
|
|
B<-3>
|
|
options are used, the key conversion procedure will not be compatible
|
|
with the sunOS des(1) version but will use all the user supplied
|
|
character to generate the des key.
|
|
B<des>
|
|
command reads from standard input unless
|
|
I<input-file>
|
|
is specified and writes to standard output unless
|
|
I<output-file>
|
|
is given.
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item B<-b>
|
|
|
|
Select ECB
|
|
(eight bytes at a time) encryption mode.
|
|
|
|
=item B<-3>
|
|
|
|
Encrypt using triple encryption.
|
|
By default triple cbc encryption is used but if the
|
|
B<-b>
|
|
option is used then triple ECB encryption is performed.
|
|
If the key is less than 8 characters long, the flag has no effect.
|
|
|
|
=item B<-e>
|
|
|
|
Encrypt data using an 8 byte key in a manner compatible with sunOS
|
|
des(1).
|
|
|
|
=item B<-E>
|
|
|
|
Encrypt data using a key of nearly unlimited length (1024 bytes).
|
|
This will product a more secure encryption.
|
|
|
|
=item B<-d>
|
|
|
|
Decrypt data that was encrypted with the B<-e> option.
|
|
|
|
=item B<-D>
|
|
|
|
Decrypt data that was encrypted with the B<-E> option.
|
|
|
|
=item B<-c>
|
|
|
|
Generate a 16 character hexadecimal cbc checksum and output this to
|
|
stderr.
|
|
If a filename was specified after the
|
|
B<-c>
|
|
option, the checksum is output to that file.
|
|
The checksum is generated using a key generated in a sunOS compatible
|
|
manner.
|
|
|
|
=item B<-C>
|
|
|
|
A cbc checksum is generated in the same manner as described for the
|
|
B<-c>
|
|
option but the DES key is generated in the same manner as used for the
|
|
B<-E>
|
|
and
|
|
B<-D>
|
|
options
|
|
|
|
=item B<-f>
|
|
|
|
Does nothing - allowed for compatibility with sunOS des(1) command.
|
|
|
|
=item B<-s>
|
|
|
|
Does nothing - allowed for compatibility with sunOS des(1) command.
|
|
|
|
=item B<-k> I<key>
|
|
|
|
Use the encryption
|
|
I<key>
|
|
specified.
|
|
|
|
=item B<-h>
|
|
|
|
The
|
|
I<key>
|
|
is assumed to be a 16 character hexadecimal number.
|
|
If the
|
|
B<-3>
|
|
option is used the key is assumed to be a 32 character hexadecimal
|
|
number.
|
|
|
|
=item B<-u>
|
|
|
|
This flag is used to read and write uuencoded files. If decrypting,
|
|
the input file is assumed to contain uuencoded, DES encrypted data.
|
|
If encrypting, the characters following the B<-u> are used as the name of
|
|
the uuencoded file to embed in the begin line of the uuencoded
|
|
output. If there is no name specified after the B<-u>, the name text.des
|
|
will be embedded in the header.
|
|
|
|
=head1 SEE ALSO
|
|
|
|
ps(1),
|
|
L<des_crypt(3)|des_crypt(3)>
|
|
|
|
=head1 BUGS
|
|
|
|
The problem with using the
|
|
B<-e>
|
|
option is the short key length.
|
|
It would be better to use a real 56-bit key rather than an
|
|
ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII
|
|
radically reduces the time necessary for a brute-force cryptographic attack.
|
|
My attempt to remove this problem is to add an alternative text-key to
|
|
DES-key function. This alternative function (accessed via
|
|
B<-E>, B<-D>, B<-S>
|
|
and
|
|
B<-3>)
|
|
uses DES to help generate the key.
|
|
|
|
Be carefully when using the B<-u> option. Doing B<des -ud> I<filename> will
|
|
not decrypt filename (the B<-u> option will gobble the B<-d> option).
|
|
|
|
The VMS operating system operates in a world where files are always a
|
|
multiple of 512 bytes. This causes problems when encrypted data is
|
|
send from Unix to VMS since a 88 byte file will suddenly be padded
|
|
with 424 null bytes. To get around this problem, use the B<-u> option
|
|
to uuencode the data before it is send to the VMS system.
|
|
|
|
=head1 AUTHOR
|
|
|
|
Eric Young (eay@cryptsoft.com)
|
|
|
|
=cut
|