1`DES_MODES(7ossl) OpenSSL DES_MODES(7ossl)`

2`3`

`4`

## NAME

6`des_modes - the variants of DES and other crypto algorithms of OpenSSL`

7

## DESCRIPTION

9`Several crypto algorithms for OpenSSL can be used in a number of modes.`

10`Those are used for using block ciphers in a way similar to stream`

11`ciphers, among other things.`

12

## OVERVIEW

14`Electronic Codebook Mode (ECB)`

15`Normally, this is found as the function algorithm_ecb_encrypt().`

16`17`

`• 64 bits are enciphered at a time.`

18`19`

`• The order of the blocks can be rearranged without detection.`

20`21`

`• The same plaintext block always produces the same ciphertext block`

22`(for the same key) making it vulnerable to a 'dictionary attack'.`

23`24`

`• An error will only affect one ciphertext block.`

25`26`

`Cipher Block Chaining Mode (CBC)`

27`Normally, this is found as the function algorithm_cbc_encrypt(). Be`

28`aware that des_cbc_encrypt() is not really DES CBC (it does not update`

29`the IV); use des_ncbc_encrypt() instead.`

30`31`

`• a multiple of 64 bits are enciphered at a time.`

32`33`

`• The CBC mode produces the same ciphertext whenever the same plaintext`

34`is encrypted using the same key and starting variable.`

35`36`

`• The chaining operation makes the ciphertext blocks dependent on the`

37`current and all preceding plaintext blocks and therefore blocks can`

38`not be rearranged.`

39`40`

`• The use of different starting variables prevents the same plaintext`

41`enciphering to the same ciphertext.`

42`43`

`• An error will affect the current and the following ciphertext blocks.`

44`45`

`Cipher Feedback Mode (CFB)`

46`Normally, this is found as the function algorithm_cfb_encrypt().`

47`48`

`• a number of bits (j) <= 64 are enciphered at a time.`

49`50`

`• The CFB mode produces the same ciphertext whenever the same plaintext`

51`is encrypted using the same key and starting variable.`

52`53`

`• The chaining operation makes the ciphertext variables dependent on`

54`the current and all preceding variables and therefore j-bit variables`

55`are chained together and can not be rearranged.`

56`57`

`• The use of different starting variables prevents the same plaintext`

58`enciphering to the same ciphertext.`

59`60`

`• The strength of the CFB mode depends on the size of k (maximal if j`

61`== k). In my implementation this is always the case.`

62`63`

`• Selection of a small value for j will require more cycles through the`

64`encipherment algorithm per unit of plaintext and thus cause greater`

65`processing overheads.`

66`67`

`• Only multiples of j bits can be enciphered.`

68`69`

`• An error will affect the current and the following ciphertext`

70`variables.`

71`72`

`Output Feedback Mode (OFB)`

73`Normally, this is found as the function algorithm_ofb_encrypt().`

74`75`

`• a number of bits (j) <= 64 are enciphered at a time.`

76`77`

`• The OFB mode produces the same ciphertext whenever the same plaintext`

78`enciphered using the same key and starting variable. More over, in`

79`the OFB mode the same key stream is produced when the same key and`

80`start variable are used. Consequently, for security reasons a`

81`specific start variable should be used only once for a given key.`

82`83`

`• The absence of chaining makes the OFB more vulnerable to specific`

84`attacks.`

85`86`

`• The use of different start variables values prevents the same`

87`plaintext enciphering to the same ciphertext, by producing different`

88`key streams.`

89`90`

`• Selection of a small value for j will require more cycles through the`

91`encipherment algorithm per unit of plaintext and thus cause greater`

92`processing overheads.`

93`94`

`• Only multiples of j bits can be enciphered.`

95`96`

`• OFB mode of operation does not extend ciphertext errors in the`

97`resultant plaintext output. Every bit error in the ciphertext causes`

98`only one bit to be in error in the deciphered plaintext.`

99`100`

`• OFB mode is not self-synchronizing. If the two operation of`

101`encipherment and decipherment get out of synchronism, the system`

102`needs to be re-initialized.`

103`104`

`• Each re-initialization should use a value of the start variable`

105`different from the start variable values used before with the same`

106`key. The reason for this is that an identical bit stream would be`

107`produced each time from the same parameters. This would be`

108`susceptible to a 'known plaintext' attack.`

109`110`

`Triple ECB Mode`

111`Normally, this is found as the function algorithm_ecb3_encrypt().`

112`113`

`• Encrypt with key1, decrypt with key2 and encrypt with key3 again.`

114`115`

`• As for ECB encryption but increases the key length to 168 bits.`

116`There are theoretic attacks that can be used that make the effective`

117`key length 112 bits, but this attack also requires 2^56 blocks of`

118`memory, not very likely, even for the NSA.`

119`120`

`• If both keys are the same it is equivalent to encrypting once with`

121`just one key.`

122`123`

`• If the first and last key are the same, the key length is 112 bits.`

124`There are attacks that could reduce the effective key strength to`

125`only slightly more than 56 bits, but these require a lot of memory.`

126`127`

`• If all 3 keys are the same, this is effectively the same as normal`

128`ecb mode.`

129`130`

`Triple CBC Mode`

131`Normally, this is found as the function algorithm_ede3_cbc_encrypt().`

132`133`

`• Encrypt with key1, decrypt with key2 and then encrypt with key3.`

134`135`

`• As for CBC encryption but increases the key length to 168 bits with`

136`the same restrictions as for triple ecb mode.`

137

## NOTES

139`This text was been written in large parts by Eric Young in his original`

140`documentation for SSLeay, the predecessor of OpenSSL. In turn, he`

141`attributed it to:`

142`143`

`AS 2805.5.2`

144`Australian Standard`

145`Electronic funds transfer - Requirements for interfaces,`

146`Part 5.2: Modes of operation for an n-bit block cipher algorithm`

147`Appendix A`

148

## SEE ALSO

150`BF_encrypt(3), DES_crypt(3)`

151

## COPYRIGHT

153`Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.`

154`155`

`Licensed under the Apache License 2.0 (the "License"). You may not use`

156`this file except in compliance with the License. You can obtain a copy`

157`in the file LICENSE in the source distribution or at`

158`<https://www.openssl.org/source/license.html>.`

159`160`

`161`

`162`

`3.1.1 2023-08-31 DES_MODES(7ossl)`