1e71b7053SJung-uk Kim=pod 2e71b7053SJung-uk Kim 3e71b7053SJung-uk Kim=head1 NAME 4e71b7053SJung-uk Kim 5e71b7053SJung-uk Kimdes_modes - the variants of DES and other crypto algorithms of OpenSSL 6e71b7053SJung-uk Kim 7e71b7053SJung-uk Kim=head1 DESCRIPTION 8e71b7053SJung-uk Kim 9e71b7053SJung-uk KimSeveral crypto algorithms for OpenSSL can be used in a number of modes. Those 10e71b7053SJung-uk Kimare used for using block ciphers in a way similar to stream ciphers, among 11e71b7053SJung-uk Kimother things. 12e71b7053SJung-uk Kim 13e71b7053SJung-uk Kim=head1 OVERVIEW 14e71b7053SJung-uk Kim 15e71b7053SJung-uk Kim=head2 Electronic Codebook Mode (ECB) 16e71b7053SJung-uk Kim 17e71b7053SJung-uk KimNormally, this is found as the function I<algorithm>_ecb_encrypt(). 18e71b7053SJung-uk Kim 19e71b7053SJung-uk Kim=over 2 20e71b7053SJung-uk Kim 21e71b7053SJung-uk Kim=item * 22e71b7053SJung-uk Kim 23e71b7053SJung-uk Kim64 bits are enciphered at a time. 24e71b7053SJung-uk Kim 25e71b7053SJung-uk Kim=item * 26e71b7053SJung-uk Kim 27e71b7053SJung-uk KimThe order of the blocks can be rearranged without detection. 28e71b7053SJung-uk Kim 29e71b7053SJung-uk Kim=item * 30e71b7053SJung-uk Kim 31e71b7053SJung-uk KimThe same plaintext block always produces the same ciphertext block 32e71b7053SJung-uk Kim(for the same key) making it vulnerable to a 'dictionary attack'. 33e71b7053SJung-uk Kim 34e71b7053SJung-uk Kim=item * 35e71b7053SJung-uk Kim 36e71b7053SJung-uk KimAn error will only affect one ciphertext block. 37e71b7053SJung-uk Kim 38e71b7053SJung-uk Kim=back 39e71b7053SJung-uk Kim 40e71b7053SJung-uk Kim=head2 Cipher Block Chaining Mode (CBC) 41e71b7053SJung-uk Kim 42e71b7053SJung-uk KimNormally, this is found as the function I<algorithm>_cbc_encrypt(). 43e71b7053SJung-uk KimBe aware that des_cbc_encrypt() is not really DES CBC (it does 44e71b7053SJung-uk Kimnot update the IV); use des_ncbc_encrypt() instead. 45e71b7053SJung-uk Kim 46e71b7053SJung-uk Kim=over 2 47e71b7053SJung-uk Kim 48e71b7053SJung-uk Kim=item * 49e71b7053SJung-uk Kim 50e71b7053SJung-uk Kima multiple of 64 bits are enciphered at a time. 51e71b7053SJung-uk Kim 52e71b7053SJung-uk Kim=item * 53e71b7053SJung-uk Kim 54e71b7053SJung-uk KimThe CBC mode produces the same ciphertext whenever the same 55e71b7053SJung-uk Kimplaintext is encrypted using the same key and starting variable. 56e71b7053SJung-uk Kim 57e71b7053SJung-uk Kim=item * 58e71b7053SJung-uk Kim 59e71b7053SJung-uk KimThe chaining operation makes the ciphertext blocks dependent on the 60e71b7053SJung-uk Kimcurrent and all preceding plaintext blocks and therefore blocks can not 61e71b7053SJung-uk Kimbe rearranged. 62e71b7053SJung-uk Kim 63e71b7053SJung-uk Kim=item * 64e71b7053SJung-uk Kim 65e71b7053SJung-uk KimThe use of different starting variables prevents the same plaintext 66e71b7053SJung-uk Kimenciphering to the same ciphertext. 67e71b7053SJung-uk Kim 68e71b7053SJung-uk Kim=item * 69e71b7053SJung-uk Kim 70e71b7053SJung-uk KimAn error will affect the current and the following ciphertext blocks. 71e71b7053SJung-uk Kim 72e71b7053SJung-uk Kim=back 73e71b7053SJung-uk Kim 74e71b7053SJung-uk Kim=head2 Cipher Feedback Mode (CFB) 75e71b7053SJung-uk Kim 76e71b7053SJung-uk KimNormally, this is found as the function I<algorithm>_cfb_encrypt(). 77e71b7053SJung-uk Kim 78e71b7053SJung-uk Kim=over 2 79e71b7053SJung-uk Kim 80e71b7053SJung-uk Kim=item * 81e71b7053SJung-uk Kim 82e71b7053SJung-uk Kima number of bits (j) <= 64 are enciphered at a time. 83e71b7053SJung-uk Kim 84e71b7053SJung-uk Kim=item * 85e71b7053SJung-uk Kim 86e71b7053SJung-uk KimThe CFB mode produces the same ciphertext whenever the same 87e71b7053SJung-uk Kimplaintext is encrypted using the same key and starting variable. 88e71b7053SJung-uk Kim 89e71b7053SJung-uk Kim=item * 90e71b7053SJung-uk Kim 91e71b7053SJung-uk KimThe chaining operation makes the ciphertext variables dependent on the 92e71b7053SJung-uk Kimcurrent and all preceding variables and therefore j-bit variables are 93e71b7053SJung-uk Kimchained together and can not be rearranged. 94e71b7053SJung-uk Kim 95e71b7053SJung-uk Kim=item * 96e71b7053SJung-uk Kim 97e71b7053SJung-uk KimThe use of different starting variables prevents the same plaintext 98e71b7053SJung-uk Kimenciphering to the same ciphertext. 99e71b7053SJung-uk Kim 100e71b7053SJung-uk Kim=item * 101e71b7053SJung-uk Kim 102e71b7053SJung-uk KimThe strength of the CFB mode depends on the size of k (maximal if 103e71b7053SJung-uk Kimj == k). In my implementation this is always the case. 104e71b7053SJung-uk Kim 105e71b7053SJung-uk Kim=item * 106e71b7053SJung-uk Kim 107e71b7053SJung-uk KimSelection of a small value for j will require more cycles through 108e71b7053SJung-uk Kimthe encipherment algorithm per unit of plaintext and thus cause 109e71b7053SJung-uk Kimgreater processing overheads. 110e71b7053SJung-uk Kim 111e71b7053SJung-uk Kim=item * 112e71b7053SJung-uk Kim 113e71b7053SJung-uk KimOnly multiples of j bits can be enciphered. 114e71b7053SJung-uk Kim 115e71b7053SJung-uk Kim=item * 116e71b7053SJung-uk Kim 117e71b7053SJung-uk KimAn error will affect the current and the following ciphertext variables. 118e71b7053SJung-uk Kim 119e71b7053SJung-uk Kim=back 120e71b7053SJung-uk Kim 121e71b7053SJung-uk Kim=head2 Output Feedback Mode (OFB) 122e71b7053SJung-uk Kim 123e71b7053SJung-uk KimNormally, this is found as the function I<algorithm>_ofb_encrypt(). 124e71b7053SJung-uk Kim 125e71b7053SJung-uk Kim=over 2 126e71b7053SJung-uk Kim 127e71b7053SJung-uk Kim=item * 128e71b7053SJung-uk Kim 129e71b7053SJung-uk Kima number of bits (j) <= 64 are enciphered at a time. 130e71b7053SJung-uk Kim 131e71b7053SJung-uk Kim=item * 132e71b7053SJung-uk Kim 133e71b7053SJung-uk KimThe OFB mode produces the same ciphertext whenever the same 134e71b7053SJung-uk Kimplaintext enciphered using the same key and starting variable. More 135e71b7053SJung-uk Kimover, in the OFB mode the same key stream is produced when the same 136e71b7053SJung-uk Kimkey and start variable are used. Consequently, for security reasons 137e71b7053SJung-uk Kima specific start variable should be used only once for a given key. 138e71b7053SJung-uk Kim 139e71b7053SJung-uk Kim=item * 140e71b7053SJung-uk Kim 141e71b7053SJung-uk KimThe absence of chaining makes the OFB more vulnerable to specific attacks. 142e71b7053SJung-uk Kim 143e71b7053SJung-uk Kim=item * 144e71b7053SJung-uk Kim 145e71b7053SJung-uk KimThe use of different start variables values prevents the same 146e71b7053SJung-uk Kimplaintext enciphering to the same ciphertext, by producing different 147e71b7053SJung-uk Kimkey streams. 148e71b7053SJung-uk Kim 149e71b7053SJung-uk Kim=item * 150e71b7053SJung-uk Kim 151e71b7053SJung-uk KimSelection of a small value for j will require more cycles through 152e71b7053SJung-uk Kimthe encipherment algorithm per unit of plaintext and thus cause 153e71b7053SJung-uk Kimgreater processing overheads. 154e71b7053SJung-uk Kim 155e71b7053SJung-uk Kim=item * 156e71b7053SJung-uk Kim 157e71b7053SJung-uk KimOnly multiples of j bits can be enciphered. 158e71b7053SJung-uk Kim 159e71b7053SJung-uk Kim=item * 160e71b7053SJung-uk Kim 161e71b7053SJung-uk KimOFB mode of operation does not extend ciphertext errors in the 162e71b7053SJung-uk Kimresultant plaintext output. Every bit error in the ciphertext causes 163e71b7053SJung-uk Kimonly one bit to be in error in the deciphered plaintext. 164e71b7053SJung-uk Kim 165e71b7053SJung-uk Kim=item * 166e71b7053SJung-uk Kim 167e71b7053SJung-uk KimOFB mode is not self-synchronizing. If the two operation of 168e71b7053SJung-uk Kimencipherment and decipherment get out of synchronism, the system needs 169e71b7053SJung-uk Kimto be re-initialized. 170e71b7053SJung-uk Kim 171e71b7053SJung-uk Kim=item * 172e71b7053SJung-uk Kim 173e71b7053SJung-uk KimEach re-initialization should use a value of the start variable 174e71b7053SJung-uk Kimdifferent from the start variable values used before with the same 175e71b7053SJung-uk Kimkey. The reason for this is that an identical bit stream would be 176e71b7053SJung-uk Kimproduced each time from the same parameters. This would be 177e71b7053SJung-uk Kimsusceptible to a 'known plaintext' attack. 178e71b7053SJung-uk Kim 179e71b7053SJung-uk Kim=back 180e71b7053SJung-uk Kim 181e71b7053SJung-uk Kim=head2 Triple ECB Mode 182e71b7053SJung-uk Kim 183e71b7053SJung-uk KimNormally, this is found as the function I<algorithm>_ecb3_encrypt(). 184e71b7053SJung-uk Kim 185e71b7053SJung-uk Kim=over 2 186e71b7053SJung-uk Kim 187e71b7053SJung-uk Kim=item * 188e71b7053SJung-uk Kim 189e71b7053SJung-uk KimEncrypt with key1, decrypt with key2 and encrypt with key3 again. 190e71b7053SJung-uk Kim 191e71b7053SJung-uk Kim=item * 192e71b7053SJung-uk Kim 193e71b7053SJung-uk KimAs for ECB encryption but increases the key length to 168 bits. 194e71b7053SJung-uk KimThere are theoretic attacks that can be used that make the effective 195e71b7053SJung-uk Kimkey length 112 bits, but this attack also requires 2^56 blocks of 196e71b7053SJung-uk Kimmemory, not very likely, even for the NSA. 197e71b7053SJung-uk Kim 198e71b7053SJung-uk Kim=item * 199e71b7053SJung-uk Kim 200e71b7053SJung-uk KimIf both keys are the same it is equivalent to encrypting once with 201e71b7053SJung-uk Kimjust one key. 202e71b7053SJung-uk Kim 203e71b7053SJung-uk Kim=item * 204e71b7053SJung-uk Kim 205e71b7053SJung-uk KimIf the first and last key are the same, the key length is 112 bits. 206e71b7053SJung-uk KimThere are attacks that could reduce the effective key strength 207e71b7053SJung-uk Kimto only slightly more than 56 bits, but these require a lot of memory. 208e71b7053SJung-uk Kim 209e71b7053SJung-uk Kim=item * 210e71b7053SJung-uk Kim 211e71b7053SJung-uk KimIf all 3 keys are the same, this is effectively the same as normal 212e71b7053SJung-uk Kimecb mode. 213e71b7053SJung-uk Kim 214e71b7053SJung-uk Kim=back 215e71b7053SJung-uk Kim 216e71b7053SJung-uk Kim=head2 Triple CBC Mode 217e71b7053SJung-uk Kim 218e71b7053SJung-uk KimNormally, this is found as the function I<algorithm>_ede3_cbc_encrypt(). 219e71b7053SJung-uk Kim 220e71b7053SJung-uk Kim=over 2 221e71b7053SJung-uk Kim 222e71b7053SJung-uk Kim=item * 223e71b7053SJung-uk Kim 224e71b7053SJung-uk KimEncrypt with key1, decrypt with key2 and then encrypt with key3. 225e71b7053SJung-uk Kim 226e71b7053SJung-uk Kim=item * 227e71b7053SJung-uk Kim 228e71b7053SJung-uk KimAs for CBC encryption but increases the key length to 168 bits with 229e71b7053SJung-uk Kimthe same restrictions as for triple ecb mode. 230e71b7053SJung-uk Kim 231e71b7053SJung-uk Kim=back 232e71b7053SJung-uk Kim 233e71b7053SJung-uk Kim=head1 NOTES 234e71b7053SJung-uk Kim 235e71b7053SJung-uk KimThis text was been written in large parts by Eric Young in his original 236e71b7053SJung-uk Kimdocumentation for SSLeay, the predecessor of OpenSSL. In turn, he attributed 237e71b7053SJung-uk Kimit to: 238e71b7053SJung-uk Kim 239e71b7053SJung-uk Kim AS 2805.5.2 240e71b7053SJung-uk Kim Australian Standard 241e71b7053SJung-uk Kim Electronic funds transfer - Requirements for interfaces, 242e71b7053SJung-uk Kim Part 5.2: Modes of operation for an n-bit block cipher algorithm 243e71b7053SJung-uk Kim Appendix A 244e71b7053SJung-uk Kim 245e71b7053SJung-uk Kim=head1 SEE ALSO 246e71b7053SJung-uk Kim 247e71b7053SJung-uk KimL<BF_encrypt(3)>, L<DES_crypt(3)> 248e71b7053SJung-uk Kim 249e71b7053SJung-uk Kim=head1 COPYRIGHT 250e71b7053SJung-uk Kim 251e71b7053SJung-uk KimCopyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved. 252e71b7053SJung-uk Kim 253*b077aed3SPierre ProncheryLicensed under the Apache License 2.0 (the "License"). You may not use 254e71b7053SJung-uk Kimthis file except in compliance with the License. You can obtain a copy 255e71b7053SJung-uk Kimin the file LICENSE in the source distribution or at 256e71b7053SJung-uk KimL<https://www.openssl.org/source/license.html>. 257e71b7053SJung-uk Kim 258e71b7053SJung-uk Kim=cut 259