des(1)								   User Commands							    des(1)

NAME

       des - encrypt or decrypt data using Data Encryption Standard

SYNOPSIS

       des -e |  -d [-bfs] [-k key] [input-file [output-file]]

DESCRIPTION

       des encrypts and decrypts data using the NBS Data Encryption Standard algorithm. One of	-e (for encrypt) or -d (for decrypt) must be spec-
       ified.

       The  des command is provided to promote secure exchange of data in a standard fashion.

       Two standard encryption modes are supported by the des program, Cipher Block Chaining (CBC -- the default) and Electronic Code Book (ECB --
       specified  with	-b). CBC mode treats an entire file as a unit of encryption, that is, if insertions or deletions are made to the encrypted
       file then decryption will not succeed. CBC mode also ensures that regularities in clear data do not appear in the encrypted data. ECB  mode
       treats  each 8 bytes as units of encryptions, so if parts of the encrypted file are modified then other parts may still be decrypted. Iden-
       tical values of clear text encrypt to identical values of cipher text.

       The key used for the DES algorithm is obtained by prompting the user unless the `-k key' option is given. If the key is an argument to  the
       des  command,  it is potentially visible to users executing ps(1) or a derivative.  To minimize this possibility, des takes care to destroy
       the key argument immediately upon entry.

       The des command attempts to use DES hardware for its job, but will use a software implementation of the DES algorithm if  the  hardware	is
       unavailable.   Normally,  a  warning message is printed if the DES hardware is unavailable since the software is only about 1/50th as fast.
       However, the  -f option will suppress the warning. The -s option may be used to force use of software instead of hardware DES.

       The des command reads from standard input unless input-file is specified and writes to standard output unless output-file is given.

       The following sections give information required to implement compatible facilities in other environments.

       Since the CBC and ECB modes of DES require units of 8 bytes to be encrypted, files being encrypted by the des command have  1  to  8  bytes
       appended  to them to cause them to be a multiple of 8 bytes. The last byte, when decrypted, gives the number of bytes (0 to 7) which are to
       be saved of the last 8 bytes. The other bytes of those appended to the input are randomized before encryption.  If,  when  decrypting,  the
       last  byte  is not in the range of 0 to 7 then either the encrypted file has been corrupted or an incorrect key was provided for decryption
       and an error message is printed.

       The DES algorithm requires an 8 byte key whose low order bits are assumed to be odd-parity bits.  The ASCII key supplied  by  the  user	is
       zero  padded  to  8  bytes and the high order bits are set to be odd-parity bits.  The DES algorithm then ignores the low bit of each ASCII
       character, but that bit's information has been preserved in the high bit due to the parity.

       The CBC mode of operation always uses an initial value of all zeros for the initialization vector, so the first	8  bytes  of  a  file  are
       encrypted the same whether in CBC or ECB mode.

OPTIONS

       -b	Select ECB (eight bytes at a time) encryption mode.

       -d	Decrypt data.

       -e	Encrypt data.

       -f	Suppress warning message when software implementation is used.

       -s	Select software implementation for the encryption algorithm.

       -kkey	Use the encryption  key specified.

FILES

       /dev/des?

SEE ALSO

       ps(1)

BUGS

       It  would  be better to use a real 56-bit key rather than an ASCII-based 56-bit pattern.  Knowing that the key was derived from ASCII radi-
       cally reduces the time necessary for a brute-force cryptographic attack.

SunOS 5.11							    3 Mar 2008								    des(1)