Hamilton LaboratoriesHamilton C shell 2012User guideExternal utilities


Oregon Coast

Previous | Next

        DES Data Encryption

Usage:  des [-edbhnrz-] [-k key] [ file1 file2 ... ]

   des is a filter that encrypts or decrypts data read from the
   files you specify, one after another, to stdout with the Data
   Encryption Standard (DES).  If no files are given, des reads
   from stdin.  If there are multiple files, they're simply
   concatenated as they're read.

   Either -e (encrypt) or -d (decrypt) must be specified. If the
   key is not given on the command line with the -k option, des
   will prompt for it, suppressing echo.


   -e       Encrypt.
   -d       Decrypt.
   -b       Electronic Code Book (ECB) mode is used.  The default
            is to use DES Cipher Block Chaining (CBC) mode with
            an initial vector (IV) of all zeros.  Under ECB mode,
            each block of 8 bytes is enciphered independently,
            depending only on the key.  Under CBC mode, the
            enciphering of each block also depends on the data
            in the previous blocks.  The default CBC mode is
            considered somewhat more secure.
   -k key   Encryption key, typed as a simple ASCII string.  With
            an ASCII key, DES ignores the low order bit of each
            key byte but the high order bit is set for odd parity,
            thus retaining the information contained in the low
            order bit.
   -x       Hex key.  The key string is a sequence of up to 16 hex
            characters, right padded with zeros.  With a hex key,
            the low order bit of each byte is again ignored per
            the DES algorithm.  This allows the use of any arbi-
            trary 56-bit key, including bytes representing control
            characters that could not be typed.
   -h       Help.  (This screen.)

Special Interchange Options:

   Not all DES implementations are the same.  There are a number of
   early implementations in circulation that either poorly or
   improperly implement DES.  Cipher Block Chaining may not be
   supported, forcing the use of the -b option.  You may also
   discover other flaws, necessitating that you experiment with
   some of these special options:

   -n       Suppress parity calculation on an ASCII key.  Just use
            the low-order 7 bits of each character as-is.
   -r       Convert all \r\n sequences to \n on input and all
            \n characters to \r\n sequences on output.  (Some
            implementers have used the C library stdio read and
            write routines but have forgotten to use binary mode.)
   -z       Do not mark the last block with a length; just fill it
            with binary zeros.  If you encipher, then decipher a
            file this way, the result will be padded with zeros
            out to an 8-byte boundary.

   If you encounter problems exchanging encrypted data with
   another DES implementation, you should try all the various
   combinations of the -b, -n, -r and -z options.  (We've seen
   one very poor implementation of DES that had all these flaws.)


   1.  If you lose the key to a file encrypted with DES, there is
       no known way to decrypt it.  The data is lost.

   2.  When choosing keys, avoid anything obvious that someone else
       might easily guess.  E.g., don't use just your name or your
       date of birth or a common word.  Instead, choose a key with
       a seemingly random mix of alphanumeric and punctuation

   3.  No encryption system should be considered perfectly secure.
       Although there are no known practical methods for attacking
       DES, such methods may exist.

   4.  Encryption can only protect data that's actually encrypted.
       If you have copies of the clear text on your disk, anyone
       with access to your machine may be able to read the data.
       Also, even when a file is deleted, the contents may remain
       on your disk, accessible to anyone with knowledge of the
       file system.

   5.  If you would like to compress encrypted data, e.g., with
       utilities such as WinZip, compress first, then encrypt.
       The encryption process tends to destroy the redundancy in
       the data that compression programs depend on.

Previous | Next