250 lines
8.8 KiB
HTML
250 lines
8.8 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of DES_MODES</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>DES_MODES</H1>
|
|
Section: OpenSSL (7SSL)<BR>Updated: 2021-03-22<BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
des_modes - the variants of DES and other crypto algorithms of OpenSSL
|
|
<A NAME="lbAC"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
|
|
|
|
Several crypto algorithms for OpenSSL can be used in a number of modes. Those
|
|
are used for using block ciphers in a way similar to stream ciphers, among
|
|
other things.
|
|
<A NAME="lbAD"> </A>
|
|
<H2>OVERVIEW</H2>
|
|
|
|
|
|
|
|
<A NAME="lbAE"> </A>
|
|
<H3>Electronic Codebook Mode (<FONT SIZE="-1">ECB</FONT>)</H3>
|
|
|
|
|
|
|
|
Normally, this is found as the function <I>algorithm</I><B>_ecb_encrypt()</B>.
|
|
<DL COMPACT>
|
|
<DT id="1">•<DD>
|
|
64 bits are enciphered at a time.
|
|
<DT id="2">•<DD>
|
|
The order of the blocks can be rearranged without detection.
|
|
<DT id="3">•<DD>
|
|
The same plaintext block always produces the same ciphertext block
|
|
(for the same key) making it vulnerable to a 'dictionary attack'.
|
|
<DT id="4">•<DD>
|
|
An error will only affect one ciphertext block.
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H3>Cipher Block Chaining Mode (<FONT SIZE="-1">CBC</FONT>)</H3>
|
|
|
|
|
|
|
|
Normally, this is found as the function <I>algorithm</I><B>_cbc_encrypt()</B>.
|
|
Be aware that <B>des_cbc_encrypt()</B> is not really <FONT SIZE="-1">DES CBC</FONT> (it does
|
|
not update the <FONT SIZE="-1">IV</FONT>); use <B>des_ncbc_encrypt()</B> instead.
|
|
<DL COMPACT>
|
|
<DT id="5">•<DD>
|
|
a multiple of 64 bits are enciphered at a time.
|
|
<DT id="6">•<DD>
|
|
The <FONT SIZE="-1">CBC</FONT> mode produces the same ciphertext whenever the same
|
|
plaintext is encrypted using the same key and starting variable.
|
|
<DT id="7">•<DD>
|
|
The chaining operation makes the ciphertext blocks dependent on the
|
|
current and all preceding plaintext blocks and therefore blocks can not
|
|
be rearranged.
|
|
<DT id="8">•<DD>
|
|
The use of different starting variables prevents the same plaintext
|
|
enciphering to the same ciphertext.
|
|
<DT id="9">•<DD>
|
|
An error will affect the current and the following ciphertext blocks.
|
|
</DL>
|
|
<A NAME="lbAG"> </A>
|
|
<H3>Cipher Feedback Mode (<FONT SIZE="-1">CFB</FONT>)</H3>
|
|
|
|
|
|
|
|
Normally, this is found as the function <I>algorithm</I><B>_cfb_encrypt()</B>.
|
|
<DL COMPACT>
|
|
<DT id="10">•<DD>
|
|
a number of bits (j) <= 64 are enciphered at a time.
|
|
<DT id="11">•<DD>
|
|
The <FONT SIZE="-1">CFB</FONT> mode produces the same ciphertext whenever the same
|
|
plaintext is encrypted using the same key and starting variable.
|
|
<DT id="12">•<DD>
|
|
The chaining operation makes the ciphertext variables dependent on the
|
|
current and all preceding variables and therefore j-bit variables are
|
|
chained together and can not be rearranged.
|
|
<DT id="13">•<DD>
|
|
The use of different starting variables prevents the same plaintext
|
|
enciphering to the same ciphertext.
|
|
<DT id="14">•<DD>
|
|
The strength of the <FONT SIZE="-1">CFB</FONT> mode depends on the size of k (maximal if
|
|
j == k). In my implementation this is always the case.
|
|
<DT id="15">•<DD>
|
|
Selection of a small value for j will require more cycles through
|
|
the encipherment algorithm per unit of plaintext and thus cause
|
|
greater processing overheads.
|
|
<DT id="16">•<DD>
|
|
Only multiples of j bits can be enciphered.
|
|
<DT id="17">•<DD>
|
|
An error will affect the current and the following ciphertext variables.
|
|
</DL>
|
|
<A NAME="lbAH"> </A>
|
|
<H3>Output Feedback Mode (<FONT SIZE="-1">OFB</FONT>)</H3>
|
|
|
|
|
|
|
|
Normally, this is found as the function <I>algorithm</I><B>_ofb_encrypt()</B>.
|
|
<DL COMPACT>
|
|
<DT id="18">•<DD>
|
|
a number of bits (j) <= 64 are enciphered at a time.
|
|
<DT id="19">•<DD>
|
|
The <FONT SIZE="-1">OFB</FONT> mode produces the same ciphertext whenever the same
|
|
plaintext enciphered using the same key and starting variable. More
|
|
over, in the <FONT SIZE="-1">OFB</FONT> mode the same key stream is produced when the same
|
|
key and start variable are used. Consequently, for security reasons
|
|
a specific start variable should be used only once for a given key.
|
|
<DT id="20">•<DD>
|
|
The absence of chaining makes the <FONT SIZE="-1">OFB</FONT> more vulnerable to specific attacks.
|
|
<DT id="21">•<DD>
|
|
The use of different start variables values prevents the same
|
|
plaintext enciphering to the same ciphertext, by producing different
|
|
key streams.
|
|
<DT id="22">•<DD>
|
|
Selection of a small value for j will require more cycles through
|
|
the encipherment algorithm per unit of plaintext and thus cause
|
|
greater processing overheads.
|
|
<DT id="23">•<DD>
|
|
Only multiples of j bits can be enciphered.
|
|
<DT id="24">•<DD>
|
|
<FONT SIZE="-1">OFB</FONT> mode of operation does not extend ciphertext errors in the
|
|
resultant plaintext output. Every bit error in the ciphertext causes
|
|
only one bit to be in error in the deciphered plaintext.
|
|
<DT id="25">•<DD>
|
|
<FONT SIZE="-1">OFB</FONT> mode is not self-synchronizing. If the two operation of
|
|
encipherment and decipherment get out of synchronism, the system needs
|
|
to be re-initialized.
|
|
<DT id="26">•<DD>
|
|
Each re-initialization should use a value of the start variable
|
|
different from the start variable values used before with the same
|
|
key. The reason for this is that an identical bit stream would be
|
|
produced each time from the same parameters. This would be
|
|
susceptible to a 'known plaintext' attack.
|
|
</DL>
|
|
<A NAME="lbAI"> </A>
|
|
<H3>Triple <FONT SIZE="-1">ECB</FONT> Mode</H3>
|
|
|
|
|
|
|
|
Normally, this is found as the function <I>algorithm</I><B>_ecb3_encrypt()</B>.
|
|
<DL COMPACT>
|
|
<DT id="27">•<DD>
|
|
Encrypt with key1, decrypt with key2 and encrypt with key3 again.
|
|
<DT id="28">•<DD>
|
|
As for <FONT SIZE="-1">ECB</FONT> encryption but increases the key length to 168 bits.
|
|
There are theoretic attacks that can be used that make the effective
|
|
key length 112 bits, but this attack also requires 2^56 blocks of
|
|
memory, not very likely, even for the <FONT SIZE="-1">NSA.</FONT>
|
|
<DT id="29">•<DD>
|
|
If both keys are the same it is equivalent to encrypting once with
|
|
just one key.
|
|
<DT id="30">•<DD>
|
|
If the first and last key are the same, the key length is 112 bits.
|
|
There are attacks that could reduce the effective key strength
|
|
to only slightly more than 56 bits, but these require a lot of memory.
|
|
<DT id="31">•<DD>
|
|
If all 3 keys are the same, this is effectively the same as normal
|
|
ecb mode.
|
|
</DL>
|
|
<A NAME="lbAJ"> </A>
|
|
<H3>Triple <FONT SIZE="-1">CBC</FONT> Mode</H3>
|
|
|
|
|
|
|
|
Normally, this is found as the function <I>algorithm</I><B>_ede3_cbc_encrypt()</B>.
|
|
<DL COMPACT>
|
|
<DT id="32">•<DD>
|
|
Encrypt with key1, decrypt with key2 and then encrypt with key3.
|
|
<DT id="33">•<DD>
|
|
As for <FONT SIZE="-1">CBC</FONT> encryption but increases the key length to 168 bits with
|
|
the same restrictions as for triple ecb mode.
|
|
</DL>
|
|
<A NAME="lbAK"> </A>
|
|
<H2>NOTES</H2>
|
|
|
|
|
|
|
|
This text was been written in large parts by Eric Young in his original
|
|
documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed
|
|
it to:
|
|
<P>
|
|
|
|
|
|
|
|
<PRE>
|
|
AS 2805.5.2
|
|
Australian Standard
|
|
Electronic funds transfer - Requirements for interfaces,
|
|
Part 5.2: Modes of operation for an n-bit block cipher algorithm
|
|
Appendix A
|
|
|
|
</PRE>
|
|
|
|
|
|
<A NAME="lbAL"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?3+BF_encrypt">BF_encrypt</A></B>(3), <B><A HREF="/cgi-bin/man/man2html?3+DES_crypt">DES_crypt</A></B>(3)
|
|
<A NAME="lbAM"> </A>
|
|
<H2>COPYRIGHT</H2>
|
|
|
|
|
|
|
|
Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
|
|
<P>
|
|
|
|
Licensed under the OpenSSL license (the ``License''). You may not use
|
|
this file except in compliance with the License. You can obtain a copy
|
|
in the file <FONT SIZE="-1">LICENSE</FONT> in the source distribution or at
|
|
<<A HREF="https://www.openssl.org/source/license.html">https://www.openssl.org/source/license.html</A>>.
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="34"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="35"><A HREF="#lbAC">DESCRIPTION</A><DD>
|
|
<DT id="36"><A HREF="#lbAD">OVERVIEW</A><DD>
|
|
<DL>
|
|
<DT id="37"><A HREF="#lbAE">Electronic Codebook Mode (<FONT SIZE="-1">ECB</FONT>)</A><DD>
|
|
<DT id="38"><A HREF="#lbAF">Cipher Block Chaining Mode (<FONT SIZE="-1">CBC</FONT>)</A><DD>
|
|
<DT id="39"><A HREF="#lbAG">Cipher Feedback Mode (<FONT SIZE="-1">CFB</FONT>)</A><DD>
|
|
<DT id="40"><A HREF="#lbAH">Output Feedback Mode (<FONT SIZE="-1">OFB</FONT>)</A><DD>
|
|
<DT id="41"><A HREF="#lbAI">Triple <FONT SIZE="-1">ECB</FONT> Mode</A><DD>
|
|
<DT id="42"><A HREF="#lbAJ">Triple <FONT SIZE="-1">CBC</FONT> Mode</A><DD>
|
|
</DL>
|
|
<DT id="43"><A HREF="#lbAK">NOTES</A><DD>
|
|
<DT id="44"><A HREF="#lbAL">SEE ALSO</A><DD>
|
|
<DT id="45"><A HREF="#lbAM">COPYRIGHT</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:08 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|