Local adjustments for OpenSSL-1.0.1p.
[dragonfly.git] / secure / lib / libcrypto / man / des_modes.7
CommitLineData
5a44c043 1.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
984263bc
MD
2.\"
3.\" Standard preamble:
a561f9ff 4.\" ========================================================================
984263bc
MD
5.de Sp \" Vertical space (when we can't use .PP)
6.if t .sp .5v
7.if n .sp
8..
984263bc
MD
9.de Vb \" Begin verbatim text
10.ft CW
11.nf
12.ne \\$1
13..
14.de Ve \" End verbatim text
15.ft R
984263bc
MD
16.fi
17..
18.\" Set up some character translations and predefined strings. \*(-- will
19.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
e257b235
PA
20.\" double quote, and \*(R" will give a right double quote. \*(C+ will
21.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
22.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
23.\" nothing in troff, for use with C<>.
24.tr \(*W-
984263bc
MD
25.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
26.ie n \{\
27. ds -- \(*W-
28. ds PI pi
29. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
30. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
31. ds L" ""
32. ds R" ""
33. ds C` ""
34. ds C' ""
35'br\}
36.el\{\
37. ds -- \|\(em\|
38. ds PI \(*p
39. ds L" ``
40. ds R" ''
5a44c043
SW
41. ds C`
42. ds C'
984263bc
MD
43'br\}
44.\"
e257b235
PA
45.\" Escape single quotes in literal strings from groff's Unicode transform.
46.ie \n(.g .ds Aq \(aq
47.el .ds Aq '
48.\"
a561f9ff 49.\" If the F register is turned on, we'll generate index entries on stderr for
01185282 50.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
a561f9ff
SS
51.\" entries marked with X<> in POD. Of course, you'll have to process the
52.\" output yourself in some meaningful fashion.
5a44c043
SW
53.\"
54.\" Avoid warning from groff about undefined register 'F'.
55.de IX
984263bc 56..
5a44c043
SW
57.nr rF 0
58.if \n(.g .if rF .nr rF 1
59.if (\n(rF:(\n(.g==0)) \{
60. if \nF \{
61. de IX
62. tm Index:\\$1\t\\n%\t"\\$2"
e257b235 63..
5a44c043
SW
64. if !\nF==2 \{
65. nr % 0
66. nr F 2
67. \}
68. \}
e257b235 69.\}
5a44c043 70.rr rF
aac4ff6f 71.\"
984263bc
MD
72.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
73.\" Fear. Run. Save yourself. No user-serviceable parts.
984263bc
MD
74. \" fudge factors for nroff and troff
75.if n \{\
76. ds #H 0
77. ds #V .8m
78. ds #F .3m
79. ds #[ \f1
80. ds #] \fP
81.\}
82.if t \{\
83. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
84. ds #V .6m
85. ds #F 0
86. ds #[ \&
87. ds #] \&
88.\}
89. \" simple accents for nroff and troff
90.if n \{\
91. ds ' \&
92. ds ` \&
93. ds ^ \&
94. ds , \&
95. ds ~ ~
96. ds /
97.\}
98.if t \{\
99. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
100. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
101. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
102. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
103. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
104. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
105.\}
106. \" troff and (daisy-wheel) nroff accents
107.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
108.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
109.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
110.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
111.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
112.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
113.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
114.ds ae a\h'-(\w'a'u*4/10)'e
115.ds Ae A\h'-(\w'A'u*4/10)'E
116. \" corrections for vroff
117.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
118.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
119. \" for low resolution devices (crt and lpr)
120.if \n(.H>23 .if \n(.V>19 \
121\{\
122. ds : e
123. ds 8 ss
124. ds o a
125. ds d- d\h'-1'\(ga
126. ds D- D\h'-1'\(hy
127. ds th \o'bp'
128. ds Th \o'LP'
129. ds ae ae
130. ds Ae AE
131.\}
132.rm #[ #] #H #V #F C
a561f9ff 133.\" ========================================================================
984263bc 134.\"
a561f9ff 135.IX Title "DES_MODES 7"
7dc78669 136.TH DES_MODES 7 "2015-07-09" "1.0.1p" "OpenSSL"
e257b235
PA
137.\" For nroff, turn off justification. Always turn off hyphenation; it makes
138.\" way too many mistakes in technical documents.
139.if n .ad l
140.nh
984263bc 141.SH "NAME"
2c0715f4 142des_modes \- the variants of DES and other crypto algorithms of OpenSSL
984263bc
MD
143.SH "DESCRIPTION"
144.IX Header "DESCRIPTION"
145Several crypto algorithms for OpenSSL can be used in a number of modes. Those
146are used for using block ciphers in a way similar to stream ciphers, among
147other things.
148.SH "OVERVIEW"
149.IX Header "OVERVIEW"
01185282 150.SS "Electronic Codebook Mode (\s-1ECB\s0)"
984263bc
MD
151.IX Subsection "Electronic Codebook Mode (ECB)"
152Normally, this is found as the function \fIalgorithm\fR\fI_ecb_encrypt()\fR.
a561f9ff 153.IP "\(bu" 2
984263bc 15464 bits are enciphered at a time.
a561f9ff 155.IP "\(bu" 2
984263bc 156The order of the blocks can be rearranged without detection.
a561f9ff 157.IP "\(bu" 2
984263bc
MD
158The same plaintext block always produces the same ciphertext block
159(for the same key) making it vulnerable to a 'dictionary attack'.
a561f9ff 160.IP "\(bu" 2
984263bc 161An error will only affect one ciphertext block.
01185282 162.SS "Cipher Block Chaining Mode (\s-1CBC\s0)"
984263bc
MD
163.IX Subsection "Cipher Block Chaining Mode (CBC)"
164Normally, this is found as the function \fIalgorithm\fR\fI_cbc_encrypt()\fR.
5a44c043 165Be aware that \fIdes_cbc_encrypt()\fR is not really \s-1DES CBC \s0(it does
984263bc 166not update the \s-1IV\s0); use \fIdes_ncbc_encrypt()\fR instead.
a561f9ff 167.IP "\(bu" 2
984263bc 168a multiple of 64 bits are enciphered at a time.
a561f9ff 169.IP "\(bu" 2
984263bc
MD
170The \s-1CBC\s0 mode produces the same ciphertext whenever the same
171plaintext is encrypted using the same key and starting variable.
a561f9ff 172.IP "\(bu" 2
984263bc
MD
173The chaining operation makes the ciphertext blocks dependent on the
174current and all preceding plaintext blocks and therefore blocks can not
175be rearranged.
a561f9ff 176.IP "\(bu" 2
984263bc
MD
177The use of different starting variables prevents the same plaintext
178enciphering to the same ciphertext.
a561f9ff 179.IP "\(bu" 2
984263bc 180An error will affect the current and the following ciphertext blocks.
01185282 181.SS "Cipher Feedback Mode (\s-1CFB\s0)"
984263bc
MD
182.IX Subsection "Cipher Feedback Mode (CFB)"
183Normally, this is found as the function \fIalgorithm\fR\fI_cfb_encrypt()\fR.
a561f9ff 184.IP "\(bu" 2
984263bc 185a number of bits (j) <= 64 are enciphered at a time.
a561f9ff 186.IP "\(bu" 2
984263bc
MD
187The \s-1CFB\s0 mode produces the same ciphertext whenever the same
188plaintext is encrypted using the same key and starting variable.
a561f9ff 189.IP "\(bu" 2
984263bc 190The chaining operation makes the ciphertext variables dependent on the
a561f9ff 191current and all preceding variables and therefore j\-bit variables are
984263bc 192chained together and can not be rearranged.
a561f9ff 193.IP "\(bu" 2
984263bc
MD
194The use of different starting variables prevents the same plaintext
195enciphering to the same ciphertext.
a561f9ff 196.IP "\(bu" 2
984263bc
MD
197The strength of the \s-1CFB\s0 mode depends on the size of k (maximal if
198j == k). In my implementation this is always the case.
a561f9ff 199.IP "\(bu" 2
984263bc
MD
200Selection of a small value for j will require more cycles through
201the encipherment algorithm per unit of plaintext and thus cause
202greater processing overheads.
a561f9ff 203.IP "\(bu" 2
984263bc 204Only multiples of j bits can be enciphered.
a561f9ff 205.IP "\(bu" 2
984263bc 206An error will affect the current and the following ciphertext variables.
01185282 207.SS "Output Feedback Mode (\s-1OFB\s0)"
984263bc
MD
208.IX Subsection "Output Feedback Mode (OFB)"
209Normally, this is found as the function \fIalgorithm\fR\fI_ofb_encrypt()\fR.
a561f9ff 210.IP "\(bu" 2
984263bc 211a number of bits (j) <= 64 are enciphered at a time.
a561f9ff 212.IP "\(bu" 2
984263bc
MD
213The \s-1OFB\s0 mode produces the same ciphertext whenever the same
214plaintext enciphered using the same key and starting variable. More
215over, in the \s-1OFB\s0 mode the same key stream is produced when the same
216key and start variable are used. Consequently, for security reasons
217a specific start variable should be used only once for a given key.
a561f9ff 218.IP "\(bu" 2
984263bc 219The absence of chaining makes the \s-1OFB\s0 more vulnerable to specific attacks.
a561f9ff 220.IP "\(bu" 2
984263bc
MD
221The use of different start variables values prevents the same
222plaintext enciphering to the same ciphertext, by producing different
223key streams.
a561f9ff 224.IP "\(bu" 2
984263bc
MD
225Selection of a small value for j will require more cycles through
226the encipherment algorithm per unit of plaintext and thus cause
227greater processing overheads.
a561f9ff 228.IP "\(bu" 2
984263bc 229Only multiples of j bits can be enciphered.
a561f9ff 230.IP "\(bu" 2
984263bc
MD
231\&\s-1OFB\s0 mode of operation does not extend ciphertext errors in the
232resultant plaintext output. Every bit error in the ciphertext causes
233only one bit to be in error in the deciphered plaintext.
a561f9ff 234.IP "\(bu" 2
e257b235 235\&\s-1OFB\s0 mode is not self-synchronizing. If the two operation of
984263bc 236encipherment and decipherment get out of synchronism, the system needs
e257b235 237to be re-initialized.
a561f9ff 238.IP "\(bu" 2
984263bc
MD
239Each re-initialization should use a value of the start variable
240different from the start variable values used before with the same
241key. The reason for this is that an identical bit stream would be
242produced each time from the same parameters. This would be
243susceptible to a 'known plaintext' attack.
01185282 244.SS "Triple \s-1ECB\s0 Mode"
984263bc
MD
245.IX Subsection "Triple ECB Mode"
246Normally, this is found as the function \fIalgorithm\fR\fI_ecb3_encrypt()\fR.
a561f9ff 247.IP "\(bu" 2
984263bc 248Encrypt with key1, decrypt with key2 and encrypt with key3 again.
a561f9ff 249.IP "\(bu" 2
984263bc
MD
250As for \s-1ECB\s0 encryption but increases the key length to 168 bits.
251There are theoretic attacks that can be used that make the effective
252key length 112 bits, but this attack also requires 2^56 blocks of
5a44c043 253memory, not very likely, even for the \s-1NSA.\s0
a561f9ff 254.IP "\(bu" 2
984263bc
MD
255If both keys are the same it is equivalent to encrypting once with
256just one key.
a561f9ff 257.IP "\(bu" 2
984263bc
MD
258If the first and last key are the same, the key length is 112 bits.
259There are attacks that could reduce the effective key strength
260to only slightly more than 56 bits, but these require a lot of memory.
a561f9ff 261.IP "\(bu" 2
984263bc
MD
262If all 3 keys are the same, this is effectively the same as normal
263ecb mode.
01185282 264.SS "Triple \s-1CBC\s0 Mode"
984263bc
MD
265.IX Subsection "Triple CBC Mode"
266Normally, this is found as the function \fIalgorithm\fR\fI_ede3_cbc_encrypt()\fR.
a561f9ff 267.IP "\(bu" 2
984263bc 268Encrypt with key1, decrypt with key2 and then encrypt with key3.
a561f9ff 269.IP "\(bu" 2
984263bc
MD
270As for \s-1CBC\s0 encryption but increases the key length to 168 bits with
271the same restrictions as for triple ecb mode.
272.SH "NOTES"
273.IX Header "NOTES"
274This text was been written in large parts by Eric Young in his original
275documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed
276it to:
277.PP
278.Vb 5
279\& AS 2805.5.2
280\& Australian Standard
e257b235
PA
281\& Electronic funds transfer \- Requirements for interfaces,
282\& Part 5.2: Modes of operation for an n\-bit block cipher algorithm
984263bc
MD
283\& Appendix A
284.Ve
285.SH "SEE ALSO"
286.IX Header "SEE ALSO"
a561f9ff
SS
287\&\fIblowfish\fR\|(3), \fIdes\fR\|(3), \fIidea\fR\|(3),
288\&\fIrc2\fR\|(3)