1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
|
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <mit-copyright.h>.
.\"
.\" $Id: des_crypt.3,v 1.2 1995/12/17 19:12:03 tholo Exp $
.TH DES_CRYPT 3 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
des_read_password, des_string_to_key, des_random_key, des_set_key_schedule,
des_ecb_encrypt, des_cbc_encrypt, des_pcbc_encrypt, des_cbc_cksum,
des_quad_cksum, \- (new) DES encryption
.SH SYNOPSIS
.nf
.nj
.ft B
#include <des.h>
.PP
.ft B
.B int des_read_password(key,prompt,verify)
des_cblock *key;
char *prompt;
int verify;
.PP
.ft B
int des_string_to_key(str,key)
char *str;
des_cblock key;
.PP
.ft B
int des_random_key(key)
des_cblock *key;
.PP
.ft B
int des_set_key_schedule(key,schedule)
des_cblock *key;
des_key_schedule schedule;
.PP
.ft B
int des_ecb_encrypt(input,output,schedule,encrypt)
des_cblock *input;
des_cblock *output;
des_key_schedule schedule;
int encrypt;
.PP
.ft B
int des_cbc_encrypt(input,output,length,schedule,ivec,encrypt)
des_cblock *input;
des_cblock *output;
long length;
des_key_schedule schedule;
des_cblock *ivec;
int encrypt;
.PP
.ft B
int des_pcbc_encrypt(input,output,length,schedule,ivec,encrypt)
des_cblock *input;
des_cblock *output;
long length;
des_key_schedule schedule;
des_cblock *ivec;
int encrypt;
.PP
.ft B
unsigned long des_cbc_cksum(input,output,length,schedule,ivec)
des_cblock *input;
des_cblock *output;
long length;
des_key_schedule schedule;
des_cblock *ivec;
.PP
.ft B
unsigned long quad_cksum(input,output,length,out_count,seed)
des_cblock *input;
des_cblock *output;
long length;
int out_count;
des_cblock *seed;
.PP
.fi
.SH DESCRIPTION
This library supports various DES encryption related operations. It differs
from the
.I crypt, setkey, and encrypt
library routines in that it provides
a true DES encryption, without modifying the algorithm,
and executes much faster.
.PP
For each key that may be simultaneously active, create a
.B des_key_schedule
struct,
defined in "des.h". Next, create key schedules (from the 8-byte keys) as
needed, via
.I des_set_key_schedule ,
prior to using the encryption or checksum routines. Then
setup the input and output areas. Make sure to note the restrictions
on lengths being multiples of eight bytes. Finally, invoke the
encryption/decryption routines,
.I des_ecb_encrypt
or
.I des_cbc_encrypt
or
.I des_pcbc_encrypt,
or, to generate a cryptographic checksum, use
.I quad_cksum
(fast) or
.I des_cbc_cksum
(slow).
.PP
A
.I des_cblock
struct is an 8 byte block used as the fundamental unit for DES data and
keys, and is defined as:
.PP
.B typedef unsigned char des_cblock[8];
.PP
and a
.I des_key_schedule,
is defined as:
.PP
.B typedef struct des_ks_struct {des_cblock _;} des_key_schedule[16];
.PP
.I des_read_password
writes the string specified by
.I prompt
to the standard
output, turns off echo (if possible)
and reads an input string from standard input until terminated with a newline.
If
.I verify
is non-zero, it prompts and reads input again, for use
in applications such as changing a password; both
versions are compared, and the input is requested repeatedly until they
match. Then
.I des_read_password
converts the input string into a valid DES key, internally
using the
.I des_string_to_key
routine. The newly created key is copied to the
area pointed to by the
.I key
argument.
.I des_read_password
returns a zero if no errors occurred, or a -1
indicating that an error
occurred trying to manipulate the terminal echo.
.PP
.PP
.I des_string_to_key
converts an arbitrary length null-terminated string
to an 8 byte DES key, with odd byte parity, per FIPS specification.
A one-way function is used to convert the string to a key, making it
very difficult to reconstruct the string from the key.
The
.I str
argument is a pointer to the string, and
.I key
should
point to a
.I des_cblock
supplied by the caller to receive the generated key.
No meaningful value is returned. Void is not used for compatibility with
other compilers.
.PP
.PP
.I des_random_key
generates a random DES encryption key (eight bytes), set to odd parity per
FIPS
specifications.
This routine uses the current time, process id, and a counter
as a seed for the random number generator.
The caller must supply space for the output key, pointed to
by argument
.I key,
then after calling
.I des_random_key
should
call the
.I des_set_key_schedule
routine when needed.
No meaningful value is returned. Void is not used for compatibility
with other compilers.
.PP
.PP
.I des_set_key_schedule
calculates a key schedule from all eight bytes of the input key, pointed
to by the
.I key
argument, and outputs the schedule into the
.I des_key_schedule
indicated by the
.I schedule
argument. Make sure to pass a valid eight byte
key; no padding is done. The key schedule may then be used in subsequent
encryption/decryption/checksum operations. Many key schedules may be
cached for later use. The user is responsible to clear keys and schedules
as soon as no longer needed, to prevent their disclosure.
The routine also checks the key
parity, and returns a zero if the key parity is correct (odd), a -1
indicating a key parity error, or a -2 indicating use of an illegal
weak key. If an error is returned, the key schedule was not created.
.PP
.PP
.I des_ecb_encrypt
is the basic DES encryption routine that encrypts or decrypts a single 8-byte
block in
.B electronic code book
mode. It always transforms the input data, pointed to by
.I input,
into the output data, pointed to by the
.I output
argument.
.PP
If the
.I encrypt
argument is non-zero, the
.I input
(cleartext) is encrypted into the
.I output
(ciphertext) using the key_schedule specified by the
.I schedule
argument, previously set via
.I des_set_key_schedule
.PP
If encrypt is zero, the
.I input
(now ciphertext) is decrypted into the
.I output
(now cleartext).
.PP
Input and output may overlap.
.PP
No meaningful value is returned. Void is not used for compatibility
with other compilers.
.PP
.PP
.I des_cbc_encrypt
encrypts/decrypts using the
.B cipher-block-chaining mode of DES.
If the
.I encrypt
argument is non-zero, the routine cipher-block-chain encrypts
the cleartext data pointed to by the
.I input
argument into the ciphertext pointed to by the
.I output
argument, using the key schedule provided by the
.I schedule
argument, and initialization vector provided by the
.I ivec
argument.
If the
.I length
argument is not an integral
multiple of eight bytes, the last block is copied to a temp and zero
filled (highest addresses). The output is ALWAYS an integral multiple
of eight bytes.
.PP
If
.I encrypt
is zero, the routine cipher-block chain decrypts the (now) ciphertext
data pointed to by the
.I input
argument into (now) cleartext pointed to by the
.I output
argument using the key schedule provided by the
.I schedule
argument, and initialization vector provided by the
.I ivec
argument. Decryption ALWAYS operates on integral
multiples of 8 bytes, so it will round the
.I length
provided up to the
appropriate multiple. Consequently, it will always produce the rounded-up
number of bytes of output cleartext. The application must determine if
the output cleartext was zero-padded due to original cleartext lengths that
were not integral multiples of 8.
.PP
No errors or meaningful values are returned. Void is not used for
compatibility with other compilers.
.PP
A characteristic of cbc mode is that changing a single bit of the
cleartext, then encrypting using cbc mode,
affects ALL the subsequent ciphertext. This makes cryptanalysis
much more difficult. However, modifying a single bit of the ciphertext,
then decrypting, only affects the resulting cleartext from
the modified block and the succeeding block. Therefore,
.I des_pcbc_encrypt
is STRONGLY recommended for applications where
indefinite propagation of errors is required in order to detect modifications.
.PP
.PP
.I des_pcbc_encrypt
encrypts/decrypts using a modified block chaining mode. Its calling
sequence is identical to
.I des_cbc_encrypt.
It differs in its error propagation characteristics.
.PP
.I des_pcbc_encrypt
is highly recommended for most encryption purposes, in that
modification of a single bit of the ciphertext will affect ALL the
subsequent (decrypted) cleartext. Similarly, modifying a single bit of
the cleartext will affect ALL the subsequent (encrypted) ciphertext.
"PCBC" mode, on encryption, "xors" both the
cleartext of block N and the ciphertext resulting from block N with the
cleartext for block N+1 prior to encrypting block N+1.
.PP
.I des_cbc_cksum
produces an 8 byte cryptographic checksum by cipher-block-chain
encrypting the cleartext data pointed to by the
.I input
argument. All of the ciphertext output is discarded, except the
last 8-byte ciphertext block, which is written into the area pointed to by
the
.I output
argument.
It uses the key schedule,
provided by the
.I schedule
argument and initialization vector provided by the
.I ivec
argument.
If the
.I length
argument is not an integral
multiple of eight bytes, the last cleartext block is copied to a temp and zero
filled (highest addresses). The output is ALWAYS eight bytes.
.PP
The routine also returns an unsigned long, which is the last (highest address)
half of the 8 byte checksum computed.
.PP
.PP
.I quad_cksum
produces a checksum by chaining quadratic operations on the cleartext data
pointed to by the
.I input
argument. The
.I length
argument specifies the length of the
input -- only exactly that many bytes are included for the checksum,
without any padding.
.PP
The algorithm may be iterated over the same input data, if the
.I out_count
argument is 2, 3 or 4, and the optional
.I output
argument is a non-null pointer .
The default is one iteration, and it will not run
more than 4 times. Multiple iterations run slower, but provide
a longer checksum if desired. The
.I seed
argument provides an 8-byte seed for the first iteration. If multiple iterations are
requested, the results of one iteration are automatically used as
the seed for the next iteration.
.PP
It returns both an unsigned long checksum value, and
if the
.I output
argument is not a null pointer, up to 16 bytes of
the computed checksum are written into the output.
.PP
.PP
.SH FILES
/usr/include/des.h
.br
/usr/lib/libdes.a
.SH "SEE ALSO"
.SH DIAGNOSTICS
.SH BUGS
This software has not yet been compiled or tested on machines other than the
VAX and the IBM PC.
.SH AUTHORS
Steve Miller, MIT Project Athena/Digital Equipment Corporation
.SH RESTRICTIONS
COPYRIGHT 1985,1986 Massachusetts Institute of Technology
.PP
This software may not be exported outside of the US without a special
license from the US Dept of Commerce. It may be replaced by any secret
key block cipher with block length and key length of 8 bytes, as long
as the interface is the same as described here.
|