| 1 | =pod
|
|---|
| 2 |
|
|---|
| 3 | =head1 NAME
|
|---|
| 4 |
|
|---|
| 5 | des_modes - the variants of DES and other crypto algorithms of OpenSSL
|
|---|
| 6 |
|
|---|
| 7 | =head1 DESCRIPTION
|
|---|
| 8 |
|
|---|
| 9 | Several crypto algorithms for OpenSSL can be used in a number of modes. Those
|
|---|
| 10 | are used for using block ciphers in a way similar to stream ciphers, among
|
|---|
| 11 | other things.
|
|---|
| 12 |
|
|---|
| 13 | =head1 OVERVIEW
|
|---|
| 14 |
|
|---|
| 15 | =head2 Electronic Codebook Mode (ECB)
|
|---|
| 16 |
|
|---|
| 17 | Normally, this is found as the function I<algorithm>_ecb_encrypt().
|
|---|
| 18 |
|
|---|
| 19 | =over 2
|
|---|
| 20 |
|
|---|
| 21 | =item *
|
|---|
| 22 |
|
|---|
| 23 | 64 bits are enciphered at a time.
|
|---|
| 24 |
|
|---|
| 25 | =item *
|
|---|
| 26 |
|
|---|
| 27 | The order of the blocks can be rearranged without detection.
|
|---|
| 28 |
|
|---|
| 29 | =item *
|
|---|
| 30 |
|
|---|
| 31 | The same plaintext block always produces the same ciphertext block
|
|---|
| 32 | (for the same key) making it vulnerable to a 'dictionary attack'.
|
|---|
| 33 |
|
|---|
| 34 | =item *
|
|---|
| 35 |
|
|---|
| 36 | An error will only affect one ciphertext block.
|
|---|
| 37 |
|
|---|
| 38 | =back
|
|---|
| 39 |
|
|---|
| 40 | =head2 Cipher Block Chaining Mode (CBC)
|
|---|
| 41 |
|
|---|
| 42 | Normally, this is found as the function I<algorithm>_cbc_encrypt().
|
|---|
| 43 | Be aware that des_cbc_encrypt() is not really DES CBC (it does
|
|---|
| 44 | not update the IV); use des_ncbc_encrypt() instead.
|
|---|
| 45 |
|
|---|
| 46 | =over 2
|
|---|
| 47 |
|
|---|
| 48 | =item *
|
|---|
| 49 |
|
|---|
| 50 | a multiple of 64 bits are enciphered at a time.
|
|---|
| 51 |
|
|---|
| 52 | =item *
|
|---|
| 53 |
|
|---|
| 54 | The CBC mode produces the same ciphertext whenever the same
|
|---|
| 55 | plaintext is encrypted using the same key and starting variable.
|
|---|
| 56 |
|
|---|
| 57 | =item *
|
|---|
| 58 |
|
|---|
| 59 | The chaining operation makes the ciphertext blocks dependent on the
|
|---|
| 60 | current and all preceding plaintext blocks and therefore blocks can not
|
|---|
| 61 | be rearranged.
|
|---|
| 62 |
|
|---|
| 63 | =item *
|
|---|
| 64 |
|
|---|
| 65 | The use of different starting variables prevents the same plaintext
|
|---|
| 66 | enciphering to the same ciphertext.
|
|---|
| 67 |
|
|---|
| 68 | =item *
|
|---|
| 69 |
|
|---|
| 70 | An error will affect the current and the following ciphertext blocks.
|
|---|
| 71 |
|
|---|
| 72 | =back
|
|---|
| 73 |
|
|---|
| 74 | =head2 Cipher Feedback Mode (CFB)
|
|---|
| 75 |
|
|---|
| 76 | Normally, this is found as the function I<algorithm>_cfb_encrypt().
|
|---|
| 77 |
|
|---|
| 78 | =over 2
|
|---|
| 79 |
|
|---|
| 80 | =item *
|
|---|
| 81 |
|
|---|
| 82 | a number of bits (j) <= 64 are enciphered at a time.
|
|---|
| 83 |
|
|---|
| 84 | =item *
|
|---|
| 85 |
|
|---|
| 86 | The CFB mode produces the same ciphertext whenever the same
|
|---|
| 87 | plaintext is encrypted using the same key and starting variable.
|
|---|
| 88 |
|
|---|
| 89 | =item *
|
|---|
| 90 |
|
|---|
| 91 | The chaining operation makes the ciphertext variables dependent on the
|
|---|
| 92 | current and all preceding variables and therefore j-bit variables are
|
|---|
| 93 | chained together and can not be rearranged.
|
|---|
| 94 |
|
|---|
| 95 | =item *
|
|---|
| 96 |
|
|---|
| 97 | The use of different starting variables prevents the same plaintext
|
|---|
| 98 | enciphering to the same ciphertext.
|
|---|
| 99 |
|
|---|
| 100 | =item *
|
|---|
| 101 |
|
|---|
| 102 | The strength of the CFB mode depends on the size of k (maximal if
|
|---|
| 103 | j == k). In my implementation this is always the case.
|
|---|
| 104 |
|
|---|
| 105 | =item *
|
|---|
| 106 |
|
|---|
| 107 | Selection of a small value for j will require more cycles through
|
|---|
| 108 | the encipherment algorithm per unit of plaintext and thus cause
|
|---|
| 109 | greater processing overheads.
|
|---|
| 110 |
|
|---|
| 111 | =item *
|
|---|
| 112 |
|
|---|
| 113 | Only multiples of j bits can be enciphered.
|
|---|
| 114 |
|
|---|
| 115 | =item *
|
|---|
| 116 |
|
|---|
| 117 | An error will affect the current and the following ciphertext variables.
|
|---|
| 118 |
|
|---|
| 119 | =back
|
|---|
| 120 |
|
|---|
| 121 | =head2 Output Feedback Mode (OFB)
|
|---|
| 122 |
|
|---|
| 123 | Normally, this is found as the function I<algorithm>_ofb_encrypt().
|
|---|
| 124 |
|
|---|
| 125 | =over 2
|
|---|
| 126 |
|
|---|
| 127 | =item *
|
|---|
| 128 |
|
|---|
| 129 | a number of bits (j) <= 64 are enciphered at a time.
|
|---|
| 130 |
|
|---|
| 131 | =item *
|
|---|
| 132 |
|
|---|
| 133 | The OFB mode produces the same ciphertext whenever the same
|
|---|
| 134 | plaintext enciphered using the same key and starting variable. More
|
|---|
| 135 | over, in the OFB mode the same key stream is produced when the same
|
|---|
| 136 | key and start variable are used. Consequently, for security reasons
|
|---|
| 137 | a specific start variable should be used only once for a given key.
|
|---|
| 138 |
|
|---|
| 139 | =item *
|
|---|
| 140 |
|
|---|
| 141 | The absence of chaining makes the OFB more vulnerable to specific attacks.
|
|---|
| 142 |
|
|---|
| 143 | =item *
|
|---|
| 144 |
|
|---|
| 145 | The use of different start variables values prevents the same
|
|---|
| 146 | plaintext enciphering to the same ciphertext, by producing different
|
|---|
| 147 | key streams.
|
|---|
| 148 |
|
|---|
| 149 | =item *
|
|---|
| 150 |
|
|---|
| 151 | Selection of a small value for j will require more cycles through
|
|---|
| 152 | the encipherment algorithm per unit of plaintext and thus cause
|
|---|
| 153 | greater processing overheads.
|
|---|
| 154 |
|
|---|
| 155 | =item *
|
|---|
| 156 |
|
|---|
| 157 | Only multiples of j bits can be enciphered.
|
|---|
| 158 |
|
|---|
| 159 | =item *
|
|---|
| 160 |
|
|---|
| 161 | OFB mode of operation does not extend ciphertext errors in the
|
|---|
| 162 | resultant plaintext output. Every bit error in the ciphertext causes
|
|---|
| 163 | only one bit to be in error in the deciphered plaintext.
|
|---|
| 164 |
|
|---|
| 165 | =item *
|
|---|
| 166 |
|
|---|
| 167 | OFB mode is not self-synchronizing. If the two operation of
|
|---|
| 168 | encipherment and decipherment get out of synchronism, the system needs
|
|---|
| 169 | to be re-initialized.
|
|---|
| 170 |
|
|---|
| 171 | =item *
|
|---|
| 172 |
|
|---|
| 173 | Each re-initialization should use a value of the start variable
|
|---|
| 174 | different from the start variable values used before with the same
|
|---|
| 175 | key. The reason for this is that an identical bit stream would be
|
|---|
| 176 | produced each time from the same parameters. This would be
|
|---|
| 177 | susceptible to a 'known plaintext' attack.
|
|---|
| 178 |
|
|---|
| 179 | =back
|
|---|
| 180 |
|
|---|
| 181 | =head2 Triple ECB Mode
|
|---|
| 182 |
|
|---|
| 183 | Normally, this is found as the function I<algorithm>_ecb3_encrypt().
|
|---|
| 184 |
|
|---|
| 185 | =over 2
|
|---|
| 186 |
|
|---|
| 187 | =item *
|
|---|
| 188 |
|
|---|
| 189 | Encrypt with key1, decrypt with key2 and encrypt with key3 again.
|
|---|
| 190 |
|
|---|
| 191 | =item *
|
|---|
| 192 |
|
|---|
| 193 | As for ECB encryption but increases the key length to 168 bits.
|
|---|
| 194 | There are theoretic attacks that can be used that make the effective
|
|---|
| 195 | key length 112 bits, but this attack also requires 2^56 blocks of
|
|---|
| 196 | memory, not very likely, even for the NSA.
|
|---|
| 197 |
|
|---|
| 198 | =item *
|
|---|
| 199 |
|
|---|
| 200 | If both keys are the same it is equivalent to encrypting once with
|
|---|
| 201 | just one key.
|
|---|
| 202 |
|
|---|
| 203 | =item *
|
|---|
| 204 |
|
|---|
| 205 | If the first and last key are the same, the key length is 112 bits.
|
|---|
| 206 | There are attacks that could reduce the effective key strength
|
|---|
| 207 | to only slightly more than 56 bits, but these require a lot of memory.
|
|---|
| 208 |
|
|---|
| 209 | =item *
|
|---|
| 210 |
|
|---|
| 211 | If all 3 keys are the same, this is effectively the same as normal
|
|---|
| 212 | ecb mode.
|
|---|
| 213 |
|
|---|
| 214 | =back
|
|---|
| 215 |
|
|---|
| 216 | =head2 Triple CBC Mode
|
|---|
| 217 |
|
|---|
| 218 | Normally, this is found as the function I<algorithm>_ede3_cbc_encrypt().
|
|---|
| 219 |
|
|---|
| 220 | =over 2
|
|---|
| 221 |
|
|---|
| 222 | =item *
|
|---|
| 223 |
|
|---|
| 224 | Encrypt with key1, decrypt with key2 and then encrypt with key3.
|
|---|
| 225 |
|
|---|
| 226 | =item *
|
|---|
| 227 |
|
|---|
| 228 | As for CBC encryption but increases the key length to 168 bits with
|
|---|
| 229 | the same restrictions as for triple ecb mode.
|
|---|
| 230 |
|
|---|
| 231 | =back
|
|---|
| 232 |
|
|---|
| 233 | =head1 NOTES
|
|---|
| 234 |
|
|---|
| 235 | This text was been written in large parts by Eric Young in his original
|
|---|
| 236 | documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed
|
|---|
| 237 | it to:
|
|---|
| 238 |
|
|---|
| 239 | AS 2805.5.2
|
|---|
| 240 | Australian Standard
|
|---|
| 241 | Electronic funds transfer - Requirements for interfaces,
|
|---|
| 242 | Part 5.2: Modes of operation for an n-bit block cipher algorithm
|
|---|
| 243 | Appendix A
|
|---|
| 244 |
|
|---|
| 245 | =head1 SEE ALSO
|
|---|
| 246 |
|
|---|
| 247 | L<BF_encrypt(3)>, L<DES_crypt(3)>
|
|---|
| 248 |
|
|---|
| 249 | =head1 COPYRIGHT
|
|---|
| 250 |
|
|---|
| 251 | Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
|
|---|
| 252 |
|
|---|
| 253 | Licensed under the OpenSSL license (the "License"). You may not use
|
|---|
| 254 | this file except in compliance with the License. You can obtain a copy
|
|---|
| 255 | in the file LICENSE in the source distribution or at
|
|---|
| 256 | L<https://www.openssl.org/source/license.html>.
|
|---|
| 257 |
|
|---|
| 258 | =cut
|
|---|
