1958c9297e
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@11962 ec53bebd-3082-4978-b11e-865c3cabbd6b
187 lines
4.6 KiB
Groff
187 lines
4.6 KiB
Groff
.TH DES 1
|
|
.SH NAME
|
|
des - encrypt or decrypt data using Data Encryption Standard
|
|
.SH SYNOPSIS
|
|
.B des
|
|
(
|
|
.B \-e
|
|
|
|
|
.B \-E
|
|
) | (
|
|
.B \-d
|
|
|
|
|
.B \-D
|
|
) | (
|
|
.B \-\fR[\fPcC\fR][\fPckname\fR]\fP
|
|
) |
|
|
[
|
|
.B \-b3hfs
|
|
] [
|
|
.B \-k
|
|
.I key
|
|
]
|
|
] [
|
|
.B \-u\fR[\fIuuname\fR]
|
|
[
|
|
.I input-file
|
|
[
|
|
.I output-file
|
|
] ]
|
|
.SH DESCRIPTION
|
|
.B des
|
|
encrypts and decrypts data using the
|
|
Data Encryption Standard algorithm.
|
|
One of
|
|
.B \-e, \-E
|
|
(for encrypt) or
|
|
.B \-d, \-D
|
|
(for decrypt) must be specified.
|
|
It is also possible to use
|
|
.B \-c
|
|
or
|
|
.B \-C
|
|
in conjunction or instead of the a encrypt/decrypt option to generate
|
|
a 16 character hexadecimal checksum, generated via the
|
|
.I des_cbc_cksum.
|
|
.LP
|
|
Two standard encryption modes are supported by the
|
|
.B des
|
|
program, Cipher Block Chaining (the default) and Electronic Code Book
|
|
(specified with
|
|
.B \-b
|
|
).
|
|
.LP
|
|
The key used for the DES
|
|
algorithm is obtained by prompting the user unless the
|
|
.B `\-k
|
|
.I key'
|
|
option is given.
|
|
If the key is an argument to the
|
|
.B des
|
|
command, it is potentially visible to users executing
|
|
.BR ps (1)
|
|
or a derivative. To minimise this possibility,
|
|
.B des
|
|
takes care to destroy the key argument immediately upon entry.
|
|
If your shell keeps a history file be careful to make sure it is not
|
|
world readable.
|
|
.LP
|
|
Since this program attempts to maintain compatibility with SunOS's
|
|
des(1) command, there are 2 different methods used to convert the user
|
|
supplied key to a des key.
|
|
Whenever and one or more of
|
|
.B \-E, \-D, \-C
|
|
or
|
|
.B \-3
|
|
options are used, the key conversion procedure will not be compatible
|
|
with the SunOS des(1) version but will use all the user supplied
|
|
character to generate the des key.
|
|
.B des
|
|
command reads from standard input unless
|
|
.I input-file
|
|
is specified and writes to standard output unless
|
|
.I output-file
|
|
is given.
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-b
|
|
Select ECB
|
|
(eight bytes at a time) encryption mode.
|
|
.TP
|
|
.B \-3
|
|
Encrypt using triple encryption.
|
|
By default triple cbc encryption is used but if the
|
|
.B \-b
|
|
option is used then triple ecb encryption is performed.
|
|
If the key is less than 8 characters long, the flag has no effect.
|
|
.TP
|
|
.B \-e
|
|
Encrypt data using an 8 byte key in a manner compatible with SunOS
|
|
des(1).
|
|
.TP
|
|
.B \-E
|
|
Encrypt data using a key of nearly unlimited length (1024 bytes).
|
|
This will product a more secure encryption.
|
|
.TP
|
|
.B \-d
|
|
Decrypt data that was encrypted with the \-e option.
|
|
.TP
|
|
.B \-D
|
|
Decrypt data that was encrypted with the \-E option.
|
|
.TP
|
|
.B \-c
|
|
Generate a 16 character hexadecimal cbc checksum and output this to
|
|
stderr.
|
|
If a filename was specified after the
|
|
.B \-c
|
|
option, the checksum is output to that file.
|
|
The checksum is generated using a key generated in a SunOS compatible
|
|
manner.
|
|
.TP
|
|
.B \-C
|
|
A cbc checksum is generated in the same manner as described for the
|
|
.B \-c
|
|
option but the DES key is generated in the same manner as used for the
|
|
.B \-E
|
|
and
|
|
.B \-D
|
|
options
|
|
.TP
|
|
.B \-f
|
|
Does nothing - allowed for compatibility with SunOS des(1) command.
|
|
.TP
|
|
.B \-s
|
|
Does nothing - allowed for compatibility with SunOS des(1) command.
|
|
.TP
|
|
.B "\-k \fIkey\fP"
|
|
Use the encryption
|
|
.I key
|
|
specified.
|
|
.TP
|
|
.B "\-h"
|
|
The
|
|
.I key
|
|
is assumed to be a 16 character hexadecimal number.
|
|
If the
|
|
.B "\-3"
|
|
option is used the key is assumed to be a 32 character hexadecimal
|
|
number.
|
|
.TP
|
|
.B \-u
|
|
This flag is used to read and write uuencoded files. If decrypting,
|
|
the input file is assumed to contain uuencoded, DES encrypted data.
|
|
If encrypting, the characters following the -u are used as the name of
|
|
the uuencoded file to embed in the begin line of the uuencoded
|
|
output. If there is no name specified after the -u, the name text.des
|
|
will be embedded in the header.
|
|
.SH SEE ALSO
|
|
.B ps (1)
|
|
.B des_crypt(3)
|
|
.SH BUGS
|
|
.LP
|
|
The problem with using the
|
|
.B -e
|
|
option is the short key length.
|
|
It would be better to use a real 56-bit key rather than an
|
|
ASCII-based 56-bit pattern. Knowing that the key was derived from ASCII
|
|
radically reduces the time necessary for a brute-force cryptographic attack.
|
|
My attempt to remove this problem is to add an alternative text-key to
|
|
DES-key function. This alternative function (accessed via
|
|
.B -E, -D, -S
|
|
and
|
|
.B -3
|
|
)
|
|
uses DES to help generate the key.
|
|
.LP
|
|
Be carefully when using the -u option. Doing des -ud <filename> will
|
|
not decrypt filename (the -u option will gobble the d option).
|
|
.LP
|
|
The VMS operating system operates in a world where files are always a
|
|
multiple of 512 bytes. This causes problems when encrypted data is
|
|
send from unix to VMS since a 88 byte file will suddenly be padded
|
|
with 424 null bytes. To get around this problem, use the -u option
|
|
to uuencode the data before it is send to the VMS system.
|
|
.SH AUTHOR
|
|
.LP
|
|
Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au)
|