1des(1) User Commands des(1)
2
6 des - encrypt or decrypt data using Data Encryption Standard
7
9 des -e | -d [-bfs] [-k key] [input-file [output-file]]
10
13 des encrypts and decrypts data using the NBS Data Encryption Standard
14 algorithm. One of -e (for encrypt) or -d (for decrypt) must be speci‐
15 fied.
16 The des command is provided to promote secure exchange of data in a
19 standard fashion.
20 Two standard encryption modes are supported by the des program, Cipher
23 Block Chaining (CBC — the default) and Electronic Code Book (ECB —
24 specified with -b). CBC mode treats an entire file as a unit of encryp‐
25 tion, that is, if insertions or deletions are made to the encrypted
26 file then decryption will not succeed. CBC mode also ensures that regu‐
27 larities in clear data do not appear in the encrypted data. ECB mode
28 treats each 8 bytes as units of encryptions, so if parts of the
29 encrypted file are modified then other parts may still be decrypted.
30 Identical values of clear text encrypt to identical values of cipher
31 text.
32 The key used for the DES algorithm is obtained by prompting the user
35 unless the `-k key' option is given. If the key is an argument to the
36 des command, it is potentially visible to users executing ps(1) or a
37 derivative. To minimize this possibility, des takes care to destroy
38 the key argument immediately upon entry.
39 The des command attempts to use DES hardware for its job, but will use
42 a software implementation of the DES algorithm if the hardware is
43 unavailable. Normally, a warning message is printed if the DES hard‐
44 ware is unavailable since the software is only about 1/50th as fast.
45 However, the -f option will suppress the warning. The -s option may be
46 used to force use of software instead of hardware DES.
47 The des command reads from standard input unless input-file is speci‐
50 fied and writes to standard output unless output-file is given.
51 The following sections give information required to implement compati‐
54 ble facilities in other environments.
55 Since the CBC and ECB modes of DES require units of 8 bytes to be
58 encrypted, files being encrypted by the des command have 1 to 8 bytes
59 appended to them to cause them to be a multiple of 8 bytes. The last
60 byte, when decrypted, gives the number of bytes (0 to 7) which are to
61 be saved of the last 8 bytes. The other bytes of those appended to the
62 input are randomized before encryption. If, when decrypting, the last
63 byte is not in the range of 0 to 7 then either the encrypted file has
64 been corrupted or an incorrect key was provided for decryption and an
65 error message is printed.
66 The DES algorithm requires an 8 byte key whose low order bits are
69 assumed to be odd-parity bits. The ASCII key supplied by the user is
70 zero padded to 8 bytes and the high order bits are set to be odd-parity
71 bits. The DES algorithm then ignores the low bit of each ASCII charac‐
72 ter, but that bit's information has been preserved in the high bit due
73 to the parity.
74 The CBC mode of operation always uses an initial value of all zeros for
77 the initialization vector, so the first 8 bytes of a file are encrypted
78 the same whether in CBC or ECB mode.
79
81 -b Select ECB (eight bytes at a time) encryption mode.
82 -d Decrypt data.
85 -e Encrypt data.
88 -f Suppress warning message when software implementation is used.
91 -s Select software implementation for the encryption algorithm.
94 -kkey Use the encryption key specified.
97
100 /dev/des?
101
104 ps(1)
105
107 It would be better to use a real 56-bit key rather than an ASCII-based
108 56-bit pattern. Knowing that the key was derived from ASCII radically
109 reduces the time necessary for a brute-force cryptographic attack.
110SunOS 5.11 3 Mar 2008 des(1)