Update files for OpenSSL-1.0.0f import.
[dragonfly.git] / secure / lib / libcrypto / man / des_modes.7
CommitLineData
e3261593 1.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.19)
984263bc
MD
2.\"
3.\" Standard preamble:
a561f9ff 4.\" ========================================================================
984263bc
MD
5.de Sp \" Vertical space (when we can't use .PP)
6.if t .sp .5v
7.if n .sp
8..
984263bc
MD
9.de Vb \" Begin verbatim text
10.ft CW
11.nf
12.ne \\$1
13..
14.de Ve \" End verbatim text
15.ft R
984263bc
MD
16.fi
17..
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
984263bc
MD
25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
26.ie n \{\
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
35'br\}
36.el\{\
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
41'br\}
42.\"
e257b235
PA
43.\" Escape single quotes in literal strings from groff's Unicode transform.
44.ie \n(.g .ds Aq \(aq
45.el .ds Aq '
46.\"
a561f9ff 47.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 48.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
a561f9ff
SS
49.\" entries marked with X<> in POD. Of course, you'll have to process the
50.\" output yourself in some meaningful fashion.
e257b235 51.ie \nF \{\
984263bc
MD
52. de IX
53. tm Index:\\$1\t\\n%\t"\\$2"
54..
55. nr % 0
56. rr F
57.\}
e257b235
PA
58.el \{\
59. de IX
60..
61.\}
aac4ff6f 62.\"
984263bc
MD
63.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
64.\" Fear. Run. Save yourself. No user-serviceable parts.
984263bc
MD
65. \" fudge factors for nroff and troff
66.if n \{\
67. ds #H 0
68. ds #V .8m
69. ds #F .3m
70. ds #[ \f1
71. ds #] \fP
72.\}
73.if t \{\
74. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
75. ds #V .6m
76. ds #F 0
77. ds #[ \&
78. ds #] \&
79.\}
80. \" simple accents for nroff and troff
81.if n \{\
82. ds ' \&
83. ds ` \&
84. ds ^ \&
85. ds , \&
86. ds ~ ~
87. ds /
88.\}
89.if t \{\
90. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
91. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
92. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
93. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
94. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
95. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
96.\}
97. \" troff and (daisy-wheel) nroff accents
98.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
99.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
100.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
101.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
102.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
103.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
104.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
105.ds ae a\h'-(\w'a'u*4/10)'e
106.ds Ae A\h'-(\w'A'u*4/10)'E
107. \" corrections for vroff
108.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
109.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
110. \" for low resolution devices (crt and lpr)
111.if \n(.H>23 .if \n(.V>19 \
112\{\
113. ds : e
114. ds 8 ss
115. ds o a
116. ds d- d\h'-1'\(ga
117. ds D- D\h'-1'\(hy
118. ds th \o'bp'
119. ds Th \o'LP'
120. ds ae ae
121. ds Ae AE
122.\}
123.rm #[ #] #H #V #F C
a561f9ff 124.\" ========================================================================
984263bc 125.\"
a561f9ff 126.IX Title "DES_MODES 7"
e3261593 127.TH DES_MODES 7 "2012-01-04" "1.0.0f" "OpenSSL"
e257b235
PA
128.\" For nroff, turn off justification. Always turn off hyphenation; it makes
129.\" way too many mistakes in technical documents.
130.if n .ad l
131.nh
984263bc 132.SH "NAME"
2c0715f4 133des_modes \- the variants of DES and other crypto algorithms of OpenSSL
984263bc
MD
134.SH "DESCRIPTION"
135.IX Header "DESCRIPTION"
136Several crypto algorithms for OpenSSL can be used in a number of modes. Those
137are used for using block ciphers in a way similar to stream ciphers, among
138other things.
139.SH "OVERVIEW"
140.IX Header "OVERVIEW"
01185282 141.SS "Electronic Codebook Mode (\s-1ECB\s0)"
984263bc
MD
142.IX Subsection "Electronic Codebook Mode (ECB)"
143Normally, this is found as the function \fIalgorithm\fR\fI_ecb_encrypt()\fR.
a561f9ff 144.IP "\(bu" 2
984263bc 14564 bits are enciphered at a time.
a561f9ff 146.IP "\(bu" 2
984263bc 147The order of the blocks can be rearranged without detection.
a561f9ff 148.IP "\(bu" 2
984263bc
MD
149The same plaintext block always produces the same ciphertext block
150(for the same key) making it vulnerable to a 'dictionary attack'.
a561f9ff 151.IP "\(bu" 2
984263bc 152An error will only affect one ciphertext block.
01185282 153.SS "Cipher Block Chaining Mode (\s-1CBC\s0)"
984263bc
MD
154.IX Subsection "Cipher Block Chaining Mode (CBC)"
155Normally, this is found as the function \fIalgorithm\fR\fI_cbc_encrypt()\fR.
156Be aware that \fIdes_cbc_encrypt()\fR is not really \s-1DES\s0 \s-1CBC\s0 (it does
157not update the \s-1IV\s0); use \fIdes_ncbc_encrypt()\fR instead.
a561f9ff 158.IP "\(bu" 2
984263bc 159a multiple of 64 bits are enciphered at a time.
a561f9ff 160.IP "\(bu" 2
984263bc
MD
161The \s-1CBC\s0 mode produces the same ciphertext whenever the same
162plaintext is encrypted using the same key and starting variable.
a561f9ff 163.IP "\(bu" 2
984263bc
MD
164The chaining operation makes the ciphertext blocks dependent on the
165current and all preceding plaintext blocks and therefore blocks can not
166be rearranged.
a561f9ff 167.IP "\(bu" 2
984263bc
MD
168The use of different starting variables prevents the same plaintext
169enciphering to the same ciphertext.
a561f9ff 170.IP "\(bu" 2
984263bc 171An error will affect the current and the following ciphertext blocks.
01185282 172.SS "Cipher Feedback Mode (\s-1CFB\s0)"
984263bc
MD
173.IX Subsection "Cipher Feedback Mode (CFB)"
174Normally, this is found as the function \fIalgorithm\fR\fI_cfb_encrypt()\fR.
a561f9ff 175.IP "\(bu" 2
984263bc 176a number of bits (j) <= 64 are enciphered at a time.
a561f9ff 177.IP "\(bu" 2
984263bc
MD
178The \s-1CFB\s0 mode produces the same ciphertext whenever the same
179plaintext is encrypted using the same key and starting variable.
a561f9ff 180.IP "\(bu" 2
984263bc 181The chaining operation makes the ciphertext variables dependent on the
a561f9ff 182current and all preceding variables and therefore j\-bit variables are
984263bc 183chained together and can not be rearranged.
a561f9ff 184.IP "\(bu" 2
984263bc
MD
185The use of different starting variables prevents the same plaintext
186enciphering to the same ciphertext.
a561f9ff 187.IP "\(bu" 2
984263bc
MD
188The strength of the \s-1CFB\s0 mode depends on the size of k (maximal if
189j == k). In my implementation this is always the case.
a561f9ff 190.IP "\(bu" 2
984263bc
MD
191Selection of a small value for j will require more cycles through
192the encipherment algorithm per unit of plaintext and thus cause
193greater processing overheads.
a561f9ff 194.IP "\(bu" 2
984263bc 195Only multiples of j bits can be enciphered.
a561f9ff 196.IP "\(bu" 2
984263bc 197An error will affect the current and the following ciphertext variables.
01185282 198.SS "Output Feedback Mode (\s-1OFB\s0)"
984263bc
MD
199.IX Subsection "Output Feedback Mode (OFB)"
200Normally, this is found as the function \fIalgorithm\fR\fI_ofb_encrypt()\fR.
a561f9ff 201.IP "\(bu" 2
984263bc 202a number of bits (j) <= 64 are enciphered at a time.
a561f9ff 203.IP "\(bu" 2
984263bc
MD
204The \s-1OFB\s0 mode produces the same ciphertext whenever the same
205plaintext enciphered using the same key and starting variable. More
206over, in the \s-1OFB\s0 mode the same key stream is produced when the same
207key and start variable are used. Consequently, for security reasons
208a specific start variable should be used only once for a given key.
a561f9ff 209.IP "\(bu" 2
984263bc 210The absence of chaining makes the \s-1OFB\s0 more vulnerable to specific attacks.
a561f9ff 211.IP "\(bu" 2
984263bc
MD
212The use of different start variables values prevents the same
213plaintext enciphering to the same ciphertext, by producing different
214key streams.
a561f9ff 215.IP "\(bu" 2
984263bc
MD
216Selection of a small value for j will require more cycles through
217the encipherment algorithm per unit of plaintext and thus cause
218greater processing overheads.
a561f9ff 219.IP "\(bu" 2
984263bc 220Only multiples of j bits can be enciphered.
a561f9ff 221.IP "\(bu" 2
984263bc
MD
222\&\s-1OFB\s0 mode of operation does not extend ciphertext errors in the
223resultant plaintext output. Every bit error in the ciphertext causes
224only one bit to be in error in the deciphered plaintext.
a561f9ff 225.IP "\(bu" 2
e257b235 226\&\s-1OFB\s0 mode is not self-synchronizing. If the two operation of
984263bc 227encipherment and decipherment get out of synchronism, the system needs
e257b235 228to be re-initialized.
a561f9ff 229.IP "\(bu" 2
984263bc
MD
230Each re-initialization should use a value of the start variable
231different from the start variable values used before with the same
232key. The reason for this is that an identical bit stream would be
233produced each time from the same parameters. This would be
234susceptible to a 'known plaintext' attack.
01185282 235.SS "Triple \s-1ECB\s0 Mode"
984263bc
MD
236.IX Subsection "Triple ECB Mode"
237Normally, this is found as the function \fIalgorithm\fR\fI_ecb3_encrypt()\fR.
a561f9ff 238.IP "\(bu" 2
984263bc 239Encrypt with key1, decrypt with key2 and encrypt with key3 again.
a561f9ff 240.IP "\(bu" 2
984263bc
MD
241As for \s-1ECB\s0 encryption but increases the key length to 168 bits.
242There are theoretic attacks that can be used that make the effective
243key length 112 bits, but this attack also requires 2^56 blocks of
244memory, not very likely, even for the \s-1NSA\s0.
a561f9ff 245.IP "\(bu" 2
984263bc
MD
246If both keys are the same it is equivalent to encrypting once with
247just one key.
a561f9ff 248.IP "\(bu" 2
984263bc
MD
249If the first and last key are the same, the key length is 112 bits.
250There are attacks that could reduce the effective key strength
251to only slightly more than 56 bits, but these require a lot of memory.
a561f9ff 252.IP "\(bu" 2
984263bc
MD
253If all 3 keys are the same, this is effectively the same as normal
254ecb mode.
01185282 255.SS "Triple \s-1CBC\s0 Mode"
984263bc
MD
256.IX Subsection "Triple CBC Mode"
257Normally, this is found as the function \fIalgorithm\fR\fI_ede3_cbc_encrypt()\fR.
a561f9ff 258.IP "\(bu" 2
984263bc 259Encrypt with key1, decrypt with key2 and then encrypt with key3.
a561f9ff 260.IP "\(bu" 2
984263bc
MD
261As for \s-1CBC\s0 encryption but increases the key length to 168 bits with
262the same restrictions as for triple ecb mode.
263.SH "NOTES"
264.IX Header "NOTES"
265This text was been written in large parts by Eric Young in his original
266documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed
267it to:
268.PP
269.Vb 5
270\& AS 2805.5.2
271\& Australian Standard
e257b235
PA
272\& Electronic funds transfer \- Requirements for interfaces,
273\& Part 5.2: Modes of operation for an n\-bit block cipher algorithm
984263bc
MD
274\& Appendix A
275.Ve
276.SH "SEE ALSO"
277.IX Header "SEE ALSO"
a561f9ff
SS
278\&\fIblowfish\fR\|(3), \fIdes\fR\|(3), \fIidea\fR\|(3),
279\&\fIrc2\fR\|(3)