DES Data Encryption Usage: des [-edbhnrz-] [-k key] [ file1 file2 ... ] des is a filter that encrypts or decrypts data read from the files you specify, one after another, to stdout with the Data Encryption Standard (DES). If no files are given, des reads from stdin. If there are multiple files, they're simply concatenated as they're read. Either -e (encrypt) or -d (decrypt) must be specified. If the key is not given on the command line with the -k option, des will prompt for it, suppressing echo. Options: -e Encrypt. -d Decrypt. -b Electronic Code Book (ECB) mode is used. The default is to use DES Cipher Block Chaining (CBC) mode with an initial vector (IV) of all zeros. Under ECB mode, each block of 8 bytes is enciphered independently, depending only on the key. Under CBC mode, the enciphering of each block also depends on the data in the previous blocks. The default CBC mode is considered somewhat more secure. -k key Encryption key, typed as a simple ASCII string. With an ASCII key, DES ignores the low order bit of each key byte but the high order bit is set for odd parity, thus retaining the information contained in the low order bit. -x Hex key. The key string is a sequence of up to 16 hex characters, right padded with zeros. With a hex key, the low order bit of each byte is again ignored per the DES algorithm. This allows the use of any arbi- trary 56-bit key, including bytes representing control characters that could not be typed. -h Help. (This screen.) Special Interchange Options: Not all DES implementations are the same. There are a number of early implementations in circulation that either poorly or improperly implement DES. Cipher Block Chaining may not be supported, forcing the use of the -b option. You may also discover other flaws, necessitating that you experiment with some of these special options: -n Suppress parity calculation on an ASCII key. Just use the low-order 7 bits of each character as-is. -r Convert all \r\n sequences to \n on input and all \n characters to \r\n sequences on output. (Some implementers have used the C library stdio read and write routines but have forgotten to use binary mode.) -z Do not mark the last block with a length; just fill it with binary zeros. If you encipher, then decipher a file this way, the result will be padded with zeros out to an 8-byte boundary. If you encounter problems exchanging encrypted data with another DES implementation, you should try all the various combinations of the -b, -n, -r and -z options. (We've seen one very poor implementation of DES that had all these flaws.) Notes: 1. If you lose the key to a file encrypted with DES, there is no known way to decrypt it. The data is lost. 2. When choosing keys, avoid anything obvious that someone else might easily guess. E.g., don't use just your name or your date of birth or a common word. Instead, choose a key with a seemingly random mix of alphanumeric and punctuation characters. 3. No encryption system should be considered perfectly secure. Although there are no known practical methods for attacking DES, such methods may exist. 4. Encryption can only protect data that's actually encrypted. If you have copies of the clear text on your disk, anyone with access to your machine may be able to read the data. Also, even when a file is deleted, the contents may remain on your disk, accessible to anyone with knowledge of the file system. 5. If you would like to compress encrypted data, e.g., with utilities such as WinZip, compress first, then encrypt. The encryption process tends to destroy the redundancy in the data that compression programs depend on. |