1 | =pod |
---|
2 | |
---|
3 | =head1 NAME |
---|
4 | |
---|
5 | Modes of DES - the variants of DES and other crypto algorithms of OpenSSL |
---|
6 | |
---|
7 | =head1 DESCRIPTION |
---|
8 | |
---|
9 | Several crypto algorithms for OpenSSL can be used in a number of modes. Those |
---|
10 | are used for using block ciphers in a way similar to stream ciphers, among |
---|
11 | other things. |
---|
12 | |
---|
13 | =head1 OVERVIEW |
---|
14 | |
---|
15 | =head2 Electronic Codebook Mode (ECB) |
---|
16 | |
---|
17 | Normally, this is found as the function I<algorithm>_ecb_encrypt(). |
---|
18 | |
---|
19 | =over 2 |
---|
20 | |
---|
21 | =item * |
---|
22 | |
---|
23 | 64 bits are enciphered at a time. |
---|
24 | |
---|
25 | =item * |
---|
26 | |
---|
27 | The order of the blocks can be rearranged without detection. |
---|
28 | |
---|
29 | =item * |
---|
30 | |
---|
31 | The same plaintext block always produces the same ciphertext block |
---|
32 | (for the same key) making it vulnerable to a 'dictionary attack'. |
---|
33 | |
---|
34 | =item * |
---|
35 | |
---|
36 | An error will only affect one ciphertext block. |
---|
37 | |
---|
38 | =back |
---|
39 | |
---|
40 | =head2 Cipher Block Chaining Mode (CBC) |
---|
41 | |
---|
42 | Normally, this is found as the function I<algorithm>_cbc_encrypt(). |
---|
43 | Be aware that des_cbc_encrypt() is not really DES CBC (it does |
---|
44 | not update the IV); use des_ncbc_encrypt() instead. |
---|
45 | |
---|
46 | =over 2 |
---|
47 | |
---|
48 | =item * |
---|
49 | |
---|
50 | a multiple of 64 bits are enciphered at a time. |
---|
51 | |
---|
52 | =item * |
---|
53 | |
---|
54 | The CBC mode produces the same ciphertext whenever the same |
---|
55 | plaintext is encrypted using the same key and starting variable. |
---|
56 | |
---|
57 | =item * |
---|
58 | |
---|
59 | The chaining operation makes the ciphertext blocks dependent on the |
---|
60 | current and all preceding plaintext blocks and therefore blocks can not |
---|
61 | be rearranged. |
---|
62 | |
---|
63 | =item * |
---|
64 | |
---|
65 | The use of different starting variables prevents the same plaintext |
---|
66 | enciphering to the same ciphertext. |
---|
67 | |
---|
68 | =item * |
---|
69 | |
---|
70 | An error will affect the current and the following ciphertext blocks. |
---|
71 | |
---|
72 | =back |
---|
73 | |
---|
74 | =head2 Cipher Feedback Mode (CFB) |
---|
75 | |
---|
76 | Normally, this is found as the function I<algorithm>_cfb_encrypt(). |
---|
77 | |
---|
78 | =over 2 |
---|
79 | |
---|
80 | =item * |
---|
81 | |
---|
82 | a number of bits (j) <= 64 are enciphered at a time. |
---|
83 | |
---|
84 | =item * |
---|
85 | |
---|
86 | The CFB mode produces the same ciphertext whenever the same |
---|
87 | plaintext is encrypted using the same key and starting variable. |
---|
88 | |
---|
89 | =item * |
---|
90 | |
---|
91 | The chaining operation makes the ciphertext variables dependent on the |
---|
92 | current and all preceding variables and therefore j-bit variables are |
---|
93 | chained together and can not be rearranged. |
---|
94 | |
---|
95 | =item * |
---|
96 | |
---|
97 | The use of different starting variables prevents the same plaintext |
---|
98 | enciphering to the same ciphertext. |
---|
99 | |
---|
100 | =item * |
---|
101 | |
---|
102 | The strength of the CFB mode depends on the size of k (maximal if |
---|
103 | j == k). In my implementation this is always the case. |
---|
104 | |
---|
105 | =item * |
---|
106 | |
---|
107 | Selection of a small value for j will require more cycles through |
---|
108 | the encipherment algorithm per unit of plaintext and thus cause |
---|
109 | greater processing overheads. |
---|
110 | |
---|
111 | =item * |
---|
112 | |
---|
113 | Only multiples of j bits can be enciphered. |
---|
114 | |
---|
115 | =item * |
---|
116 | |
---|
117 | An error will affect the current and the following ciphertext variables. |
---|
118 | |
---|
119 | =back |
---|
120 | |
---|
121 | =head2 Output Feedback Mode (OFB) |
---|
122 | |
---|
123 | Normally, this is found as the function I<algorithm>_ofb_encrypt(). |
---|
124 | |
---|
125 | =over 2 |
---|
126 | |
---|
127 | |
---|
128 | =item * |
---|
129 | |
---|
130 | a number of bits (j) <= 64 are enciphered at a time. |
---|
131 | |
---|
132 | =item * |
---|
133 | |
---|
134 | The OFB mode produces the same ciphertext whenever the same |
---|
135 | plaintext enciphered using the same key and starting variable. More |
---|
136 | over, in the OFB mode the same key stream is produced when the same |
---|
137 | key and start variable are used. Consequently, for security reasons |
---|
138 | a specific start variable should be used only once for a given key. |
---|
139 | |
---|
140 | =item * |
---|
141 | |
---|
142 | The absence of chaining makes the OFB more vulnerable to specific attacks. |
---|
143 | |
---|
144 | =item * |
---|
145 | |
---|
146 | The use of different start variables values prevents the same |
---|
147 | plaintext enciphering to the same ciphertext, by producing different |
---|
148 | key streams. |
---|
149 | |
---|
150 | =item * |
---|
151 | |
---|
152 | Selection of a small value for j will require more cycles through |
---|
153 | the encipherment algorithm per unit of plaintext and thus cause |
---|
154 | greater processing overheads. |
---|
155 | |
---|
156 | =item * |
---|
157 | |
---|
158 | Only multiples of j bits can be enciphered. |
---|
159 | |
---|
160 | =item * |
---|
161 | |
---|
162 | OFB mode of operation does not extend ciphertext errors in the |
---|
163 | resultant plaintext output. Every bit error in the ciphertext causes |
---|
164 | only one bit to be in error in the deciphered plaintext. |
---|
165 | |
---|
166 | =item * |
---|
167 | |
---|
168 | OFB mode is not self-synchronizing. If the two operation of |
---|
169 | encipherment and decipherment get out of synchronism, the system needs |
---|
170 | to be re-initialized. |
---|
171 | |
---|
172 | =item * |
---|
173 | |
---|
174 | Each re-initialization should use a value of the start variable |
---|
175 | different from the start variable values used before with the same |
---|
176 | key. The reason for this is that an identical bit stream would be |
---|
177 | produced each time from the same parameters. This would be |
---|
178 | susceptible to a 'known plaintext' attack. |
---|
179 | |
---|
180 | =back |
---|
181 | |
---|
182 | =head2 Triple ECB Mode |
---|
183 | |
---|
184 | Normally, this is found as the function I<algorithm>_ecb3_encrypt(). |
---|
185 | |
---|
186 | =over 2 |
---|
187 | |
---|
188 | =item * |
---|
189 | |
---|
190 | Encrypt with key1, decrypt with key2 and encrypt with key3 again. |
---|
191 | |
---|
192 | =item * |
---|
193 | |
---|
194 | As for ECB encryption but increases the key length to 168 bits. |
---|
195 | There are theoretic attacks that can be used that make the effective |
---|
196 | key length 112 bits, but this attack also requires 2^56 blocks of |
---|
197 | memory, not very likely, even for the NSA. |
---|
198 | |
---|
199 | =item * |
---|
200 | |
---|
201 | If both keys are the same it is equivalent to encrypting once with |
---|
202 | just one key. |
---|
203 | |
---|
204 | =item * |
---|
205 | |
---|
206 | If the first and last key are the same, the key length is 112 bits. |
---|
207 | There are attacks that could reduce the effective key strength |
---|
208 | to only slightly more than 56 bits, but these require a lot of memory. |
---|
209 | |
---|
210 | =item * |
---|
211 | |
---|
212 | If all 3 keys are the same, this is effectively the same as normal |
---|
213 | ecb mode. |
---|
214 | |
---|
215 | =back |
---|
216 | |
---|
217 | =head2 Triple CBC Mode |
---|
218 | |
---|
219 | Normally, this is found as the function I<algorithm>_ede3_cbc_encrypt(). |
---|
220 | |
---|
221 | =over 2 |
---|
222 | |
---|
223 | |
---|
224 | =item * |
---|
225 | |
---|
226 | Encrypt with key1, decrypt with key2 and then encrypt with key3. |
---|
227 | |
---|
228 | =item * |
---|
229 | |
---|
230 | As for CBC encryption but increases the key length to 168 bits with |
---|
231 | the same restrictions as for triple ecb mode. |
---|
232 | |
---|
233 | =back |
---|
234 | |
---|
235 | =head1 NOTES |
---|
236 | |
---|
237 | This text was been written in large parts by Eric Young in his original |
---|
238 | documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed |
---|
239 | it to: |
---|
240 | |
---|
241 | AS 2805.5.2 |
---|
242 | Australian Standard |
---|
243 | Electronic funds transfer - Requirements for interfaces, |
---|
244 | Part 5.2: Modes of operation for an n-bit block cipher algorithm |
---|
245 | Appendix A |
---|
246 | |
---|
247 | =head1 SEE ALSO |
---|
248 | |
---|
249 | L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<idea(3)|idea(3)>, |
---|
250 | L<rc2(3)|rc2(3)> |
---|
251 | |
---|
252 | =cut |
---|
253 | |
---|