DES Data Encryption
Usage: des [-edbhnrz-] [-k key] [ file1 file2 ... ]
des is a filter that encrypts or decrypts data read from the
files you specify, one after another, to stdout with the Data
Encryption Standard (DES). If no files are given, des reads
from stdin. If there are multiple files, they're simply
concatenated as they're read.
Either -e (encrypt) or -d (decrypt) must be specified. If the
key is not given on the command line with the -k option, des
will prompt for it, suppressing echo.
Options:
-e Encrypt.
-d Decrypt.
-b Electronic Code Book (ECB) mode is used. The default
is to use DES Cipher Block Chaining (CBC) mode with
an initial vector (IV) of all zeros. Under ECB mode,
each block of 8 bytes is enciphered independently,
depending only on the key. Under CBC mode, the
enciphering of each block also depends on the data
in the previous blocks. The default CBC mode is
considered somewhat more secure.
-k key Encryption key, typed as a simple ASCII string. With
an ASCII key, DES ignores the low order bit of each
key byte but the high order bit is set for odd parity,
thus retaining the information contained in the low
order bit.
-x Hex key. The key string is a sequence of up to 16 hex
characters, right padded with zeros. With a hex key,
the low order bit of each byte is again ignored per
the DES algorithm. This allows the use of any arbi-
trary 56-bit key, including bytes representing control
characters that could not be typed.
-h Help. (This screen.)
Special Interchange Options:
Not all DES implementations are the same. There are a number of
early implementations in circulation that either poorly or
improperly implement DES. Cipher Block Chaining may not be
supported, forcing the use of the -b option. You may also
discover other flaws, necessitating that you experiment with
some of these special options:
-n Suppress parity calculation on an ASCII key. Just use
the low-order 7 bits of each character as-is.
-r Convert all \r\n sequences to \n on input and all
\n characters to \r\n sequences on output. (Some
implementers have used the C library stdio read and
write routines but have forgotten to use binary mode.)
-z Do not mark the last block with a length; just fill it
with binary zeros. If you encipher, then decipher a
file this way, the result will be padded with zeros
out to an 8-byte boundary.
If you encounter problems exchanging encrypted data with
another DES implementation, you should try all the various
combinations of the -b, -n, -r and -z options. (We've seen
one very poor implementation of DES that had all these flaws.)
Notes:
1. If you lose the key to a file encrypted with DES, there is
no known way to decrypt it. The data is lost.
2. When choosing keys, avoid anything obvious that someone else
might easily guess. E.g., don't use just your name or your
date of birth or a common word. Instead, choose a key with
a seemingly random mix of alphanumeric and punctuation
characters.
3. No encryption system should be considered perfectly secure.
Although there are no known practical methods for attacking
DES, such methods may exist.
4. Encryption can only protect data that's actually encrypted.
If you have copies of the clear text on your disk, anyone
with access to your machine may be able to read the data.
Also, even when a file is deleted, the contents may remain
on your disk, accessible to anyone with knowledge of the
file system.
5. If you would like to compress encrypted data, e.g., with
utilities such as WinZip, compress first, then encrypt.
The encryption process tends to destroy the redundancy in
the data that compression programs depend on.
|
