

DES(1)                                                                 DES(1)


NAME
  des - encrypt or decrypt data using Data Encryption Standard

SYNOPSIS
  ddeess ( --ee | --EE ) | ( --dd | --DD ) | ( --[ccCC][cckknnaammee] ) | [ --bb33hhffss ] [ --kk _k_e_y ] ]
  [ --uu[_u_u_n_a_m_e] [ _i_n_p_u_t_-_f_i_l_e [ _o_u_t_p_u_t_-_f_i_l_e ] ]

DESCRIPTION
  ddeess encrypts and decrypts data using the Data Encryption Standard algo-
  rithm.  One of --ee,, --EE (for encrypt) or --dd,, --DD (for decrypt) must be speci-
  fied.  It is also possible to use --cc or --CC in conjunction or instead of the
  a encrypt/decrypt option to generate a 16 character hexadecimal checksum,
  generated via the _d_e_s___c_b_c___c_k_s_u_m_.

  Two standard encryption modes are supported by the ddeess program, Cipher
  Block Chaining (the default) and Electronic Code Book (specified with --bb ).

  The key used for the DES algorithm is obtained by prompting the user unless
  the ``--kk _k_e_y_' option is given.  If the key is an argument to the ddeess com-
  mand, it is potentially visible to users executing ppss(1) or a derivative.
  To minimise this possibility, ddeess takes care to destroy the key argument
  immediately upon entry.  If your shell keeps a history file be careful to
  make sure it is not world readable.

  Since this program attempts to maintain compatibility with SunOS's des(1)
  command, there are 2 different methods used to convert the user supplied
  key to a des key.  Whenever and one or more of --EE,, --DD,, --CC or --33 options are
  used, the key conversion procedure will not be compatible with the SunOS
  des(1) version but will use all the user supplied character to generate the
  des key.  ddeess command reads from standard input unless _i_n_p_u_t_-_f_i_l_e is speci-
  fied and writes to standard output unless _o_u_t_p_u_t_-_f_i_l_e is given.

OPTIONS

  --bb   Select ECB (eight bytes at a time) encryption mode.

  --33   Encrypt using triple encryption.  By default triple cbc encryption is
       used but if the --bb option is used then triple ecb encryption is per-
       formed.  If the key is less than 8 characters long, the flag has no
       effect.

  --ee   Encrypt data using an 8 byte key in a manner compatible with SunOS
       des(1).

  --EE   Encrypt data using a key of nearly unlimited length (1024 bytes).
       This will product a more secure encryption.

  --dd   Decrypt data that was encrypted with the -e option.

  --DD   Decrypt data that was encrypted with the -E option.

  --cc   Generate a 16 character hexadecimal cbc checksum and output this to
       stderr.  If a filename was specified after the --cc option, the checksum
       is output to that file.  The checksum is generated using a key gener-
       ated in a SunOS compatible manner.

  --CC   A cbc checksum is generated in the same manner as described for the --cc
       option but the DES key is generated in the same manner as used for the
       --EE and --DD options

  --ff   Does nothing - allowed for compatibility with SunOS des(1) command.

  --ss   Does nothing - allowed for compatibility with SunOS des(1) command.

  --kk _k_e_y
       Use the encryption _k_e_y specified.

  --hh   The _k_e_y is assumed to be a 16 character hexadecimal number.  If the --33
       option is used the key is assumed to be a 32 character hexadecimal
       number.

  --uu   This flag is used to read and write uuencoded files.  If decrypting,
       the input file is assumed to contain uuencoded, DES encrypted data.
       If encrypting, the characters following the -u are used as the name of
       the uuencoded file to embed in the begin line of the uuencoded output.
       If there is no name specified after the -u, the name text.des will be
       embedded in the header.

SEE ALSO
  ppss ((11)) ddeess__ccrryypptt((33))

BUGS

  The problem with using the --ee option is the short key length.  It would be
  better to use a real 56-bit key rather than an ASCII-based 56-bit pattern.
  Knowing that the key was derived from ASCII radically reduces the time nec-
  essary for a brute-force cryptographic attack.  My attempt to remove this
  problem is to add an alternative text-key to DES-key function.  This alter-
  native function (accessed via --EE,, --DD,, --SS and --33 ) uses DES to help generate
  the key.

  Be carefully when using the -u option.  Doing des -ud <filename> will not
  decrypt filename (the -u option will gobble the d option).

  The VMS operating system operates in a world where files are always a mul-
  tiple of 512 bytes.  This causes problems when encrypted data is send from
  unix to VMS since a 88 byte file will suddenly be padded with 424 null
  bytes.  To get around this problem, use the -u option to uuencode the data
  before it is send to the VMS system.

AUTHOR

  Eric Young (eay@mincom.oz.au or eay@psych.psy.uq.oz.au)