1 1.1 christos =pod 2 1.1 christos 3 1.1 christos =head1 NAME 4 1.1 christos 5 1.1 christos Modes of DES - the variants of DES and other crypto algorithms of OpenSSL 6 1.1 christos 7 1.1 christos =head1 DESCRIPTION 8 1.1 christos 9 1.1 christos Several crypto algorithms for OpenSSL can be used in a number of modes. Those 10 1.1 christos are used for using block ciphers in a way similar to stream ciphers, among 11 1.1 christos other things. 12 1.1 christos 13 1.1 christos =head1 OVERVIEW 14 1.1 christos 15 1.1 christos =head2 Electronic Codebook Mode (ECB) 16 1.1 christos 17 1.1 christos Normally, this is found as the function I<algorithm>_ecb_encrypt(). 18 1.1 christos 19 1.1 christos =over 2 20 1.1 christos 21 1.1 christos =item * 22 1.1 christos 23 1.1 christos 64 bits are enciphered at a time. 24 1.1 christos 25 1.1 christos =item * 26 1.1 christos 27 1.1 christos The order of the blocks can be rearranged without detection. 28 1.1 christos 29 1.1 christos =item * 30 1.1 christos 31 1.1 christos The same plaintext block always produces the same ciphertext block 32 1.1 christos (for the same key) making it vulnerable to a 'dictionary attack'. 33 1.1 christos 34 1.1 christos =item * 35 1.1 christos 36 1.1 christos An error will only affect one ciphertext block. 37 1.1 christos 38 1.1 christos =back 39 1.1 christos 40 1.1 christos =head2 Cipher Block Chaining Mode (CBC) 41 1.1 christos 42 1.1 christos Normally, this is found as the function I<algorithm>_cbc_encrypt(). 43 1.1 christos Be aware that des_cbc_encrypt() is not really DES CBC (it does 44 1.1 christos not update the IV); use des_ncbc_encrypt() instead. 45 1.1 christos 46 1.1 christos =over 2 47 1.1 christos 48 1.1 christos =item * 49 1.1 christos 50 1.1 christos a multiple of 64 bits are enciphered at a time. 51 1.1 christos 52 1.1 christos =item * 53 1.1 christos 54 1.1 christos The CBC mode produces the same ciphertext whenever the same 55 1.1 christos plaintext is encrypted using the same key and starting variable. 56 1.1 christos 57 1.1 christos =item * 58 1.1 christos 59 1.1 christos The chaining operation makes the ciphertext blocks dependent on the 60 1.1 christos current and all preceding plaintext blocks and therefore blocks can not 61 1.1 christos be rearranged. 62 1.1 christos 63 1.1 christos =item * 64 1.1 christos 65 1.1 christos The use of different starting variables prevents the same plaintext 66 1.1 christos enciphering to the same ciphertext. 67 1.1 christos 68 1.1 christos =item * 69 1.1 christos 70 1.1 christos An error will affect the current and the following ciphertext blocks. 71 1.1 christos 72 1.1 christos =back 73 1.1 christos 74 1.1 christos =head2 Cipher Feedback Mode (CFB) 75 1.1 christos 76 1.1 christos Normally, this is found as the function I<algorithm>_cfb_encrypt(). 77 1.1 christos 78 1.1 christos =over 2 79 1.1 christos 80 1.1 christos =item * 81 1.1 christos 82 1.1 christos a number of bits (j) <= 64 are enciphered at a time. 83 1.1 christos 84 1.1 christos =item * 85 1.1 christos 86 1.1 christos The CFB mode produces the same ciphertext whenever the same 87 1.1 christos plaintext is encrypted using the same key and starting variable. 88 1.1 christos 89 1.1 christos =item * 90 1.1 christos 91 1.1 christos The chaining operation makes the ciphertext variables dependent on the 92 1.1 christos current and all preceding variables and therefore j-bit variables are 93 1.1 christos chained together and can not be rearranged. 94 1.1 christos 95 1.1 christos =item * 96 1.1 christos 97 1.1 christos The use of different starting variables prevents the same plaintext 98 1.1 christos enciphering to the same ciphertext. 99 1.1 christos 100 1.1 christos =item * 101 1.1 christos 102 1.1 christos The strength of the CFB mode depends on the size of k (maximal if 103 1.1 christos j == k). In my implementation this is always the case. 104 1.1 christos 105 1.1 christos =item * 106 1.1 christos 107 1.1 christos Selection of a small value for j will require more cycles through 108 1.1 christos the encipherment algorithm per unit of plaintext and thus cause 109 1.1 christos greater processing overheads. 110 1.1 christos 111 1.1 christos =item * 112 1.1 christos 113 1.1 christos Only multiples of j bits can be enciphered. 114 1.1 christos 115 1.1 christos =item * 116 1.1 christos 117 1.1 christos An error will affect the current and the following ciphertext variables. 118 1.1 christos 119 1.1 christos =back 120 1.1 christos 121 1.1 christos =head2 Output Feedback Mode (OFB) 122 1.1 christos 123 1.1 christos Normally, this is found as the function I<algorithm>_ofb_encrypt(). 124 1.1 christos 125 1.1 christos =over 2 126 1.1 christos 127 1.1 christos 128 1.1 christos =item * 129 1.1 christos 130 1.1 christos a number of bits (j) <= 64 are enciphered at a time. 131 1.1 christos 132 1.1 christos =item * 133 1.1 christos 134 1.1 christos The OFB mode produces the same ciphertext whenever the same 135 1.1 christos plaintext enciphered using the same key and starting variable. More 136 1.1 christos over, in the OFB mode the same key stream is produced when the same 137 1.1 christos key and start variable are used. Consequently, for security reasons 138 1.1 christos a specific start variable should be used only once for a given key. 139 1.1 christos 140 1.1 christos =item * 141 1.1 christos 142 1.1 christos The absence of chaining makes the OFB more vulnerable to specific attacks. 143 1.1 christos 144 1.1 christos =item * 145 1.1 christos 146 1.1 christos The use of different start variables values prevents the same 147 1.1 christos plaintext enciphering to the same ciphertext, by producing different 148 1.1 christos key streams. 149 1.1 christos 150 1.1 christos =item * 151 1.1 christos 152 1.1 christos Selection of a small value for j will require more cycles through 153 1.1 christos the encipherment algorithm per unit of plaintext and thus cause 154 1.1 christos greater processing overheads. 155 1.1 christos 156 1.1 christos =item * 157 1.1 christos 158 1.1 christos Only multiples of j bits can be enciphered. 159 1.1 christos 160 1.1 christos =item * 161 1.1 christos 162 1.1 christos OFB mode of operation does not extend ciphertext errors in the 163 1.1 christos resultant plaintext output. Every bit error in the ciphertext causes 164 1.1 christos only one bit to be in error in the deciphered plaintext. 165 1.1 christos 166 1.1 christos =item * 167 1.1 christos 168 1.1 christos OFB mode is not self-synchronizing. If the two operation of 169 1.1 christos encipherment and decipherment get out of synchronism, the system needs 170 1.1 christos to be re-initialized. 171 1.1 christos 172 1.1 christos =item * 173 1.1 christos 174 1.1 christos Each re-initialization should use a value of the start variable 175 1.1 christos different from the start variable values used before with the same 176 1.1 christos key. The reason for this is that an identical bit stream would be 177 1.1 christos produced each time from the same parameters. This would be 178 1.1 christos susceptible to a 'known plaintext' attack. 179 1.1 christos 180 1.1 christos =back 181 1.1 christos 182 1.1 christos =head2 Triple ECB Mode 183 1.1 christos 184 1.1 christos Normally, this is found as the function I<algorithm>_ecb3_encrypt(). 185 1.1 christos 186 1.1 christos =over 2 187 1.1 christos 188 1.1 christos =item * 189 1.1 christos 190 1.1 christos Encrypt with key1, decrypt with key2 and encrypt with key3 again. 191 1.1 christos 192 1.1 christos =item * 193 1.1 christos 194 1.1 christos As for ECB encryption but increases the key length to 168 bits. 195 1.1 christos There are theoretic attacks that can be used that make the effective 196 1.1 christos key length 112 bits, but this attack also requires 2^56 blocks of 197 1.1 christos memory, not very likely, even for the NSA. 198 1.1 christos 199 1.1 christos =item * 200 1.1 christos 201 1.1 christos If both keys are the same it is equivalent to encrypting once with 202 1.1 christos just one key. 203 1.1 christos 204 1.1 christos =item * 205 1.1 christos 206 1.1 christos If the first and last key are the same, the key length is 112 bits. 207 1.1 christos There are attacks that could reduce the effective key strength 208 1.1 christos to only slightly more than 56 bits, but these require a lot of memory. 209 1.1 christos 210 1.1 christos =item * 211 1.1 christos 212 1.1 christos If all 3 keys are the same, this is effectively the same as normal 213 1.1 christos ecb mode. 214 1.1 christos 215 1.1 christos =back 216 1.1 christos 217 1.1 christos =head2 Triple CBC Mode 218 1.1 christos 219 1.1 christos Normally, this is found as the function I<algorithm>_ede3_cbc_encrypt(). 220 1.1 christos 221 1.1 christos =over 2 222 1.1 christos 223 1.1 christos 224 1.1 christos =item * 225 1.1 christos 226 1.1 christos Encrypt with key1, decrypt with key2 and then encrypt with key3. 227 1.1 christos 228 1.1 christos =item * 229 1.1 christos 230 1.1 christos As for CBC encryption but increases the key length to 168 bits with 231 1.1 christos the same restrictions as for triple ecb mode. 232 1.1 christos 233 1.1 christos =back 234 1.1 christos 235 1.1 christos =head1 NOTES 236 1.1 christos 237 1.1 christos This text was been written in large parts by Eric Young in his original 238 1.1 christos documentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed 239 1.1 christos it to: 240 1.1 christos 241 1.1 christos AS 2805.5.2 242 1.1 christos Australian Standard 243 1.1 christos Electronic funds transfer - Requirements for interfaces, 244 1.1 christos Part 5.2: Modes of operation for an n-bit block cipher algorithm 245 1.1 christos Appendix A 246 1.1 christos 247 1.1 christos =head1 SEE ALSO 248 1.1 christos 249 1.1 christos L<blowfish(3)|blowfish(3)>, L<des(3)|des(3)>, L<idea(3)|idea(3)>, 250 1.1 christos L<rc2(3)|rc2(3)> 251 1.1 christos 252 1.1 christos =cut 253 1.1 christos 254
Indexes created Wed Mar 04 15:26:31 UTC 2026