des_crypt(3)des_crypt(3)NAME
des_crypt, des_string_to_key, des_is_weak_key, des_key_sched,
des_quad_cksum - Data Encryption Standard (DES) encryption library rou‐
tines (Auth)
SYNOPSIS
#include <des.h>
int des_string_to_key(
char *str,
C_Block *key ); int des_is_weak_key(
C_Block key ); unsigned long des_quad_cksum(
unsigned char *input,
unsigned long *output,
long length,
int iterations,
C_Block *seed ); int des_key_sched(
C_Block key,
Key_schedule schedule );
If you are using the SSL rather than the DSL library routines, see
des(3) for information on des_key_sched(), des_is_weak_key(),
des_quad_cksum(), and des_string_to_key().
PARAMETERS
For des_string_to_key(), key is a pointer to a C_Block of 8-byte
length. For des_quad_cksum(), des_is_weak_key(), and des_key_sched(),
key is a pointer to a DES key. A string that is converted to an 8-byte
DES key. Pointer to a block of data to which a quadratic checksum
algorithm is applied. Pointer to a pre-allocated buffer that will con‐
tain the complete output from the quadratic checksum algorithm. For
each iteration of the quadratic checksum applied to the input, eight
bytes (two longwords) of data are generated. Length of the data to
which the quadratic checksum algorithm will be applied. If input con‐
tains more than length bytes of data, then the quadratic checksum will
only be applied to length bytes of input. The number of iterations of
the des_quad_cksum() algorithm to apply to input. If output is NULL,
then one iteration of the algorithm will be applied to input, no matter
what the value of iterations is. The maximum number of iterations is
four. An 8-byte quantity used as a seed to the input of the
des_quad_cksum() algorithm. A representation of a DES key in a form
more easily used with encryption algorithms. It is used as input to
the krb_sendmutual() routines.
DESCRIPTION
The des_crypt() routines are designed to provide the cryptographic rou‐
tines which are used to support authentication. Specifically,
des_quad_cksum() and des_key_sched() are designed to be used with the
DES key which is shared between one Kerberos principal and its authen‐
ticated peer to provide an easy authentication method after the initial
Kerberos authentication pass. des_string_to_key() and
des_is_weak_key() are designed to enable the input and inspection of a
key by a user before that key is used with the Kerberos authentication
routines. The des_crypt() routines are not designed for general
encryption.
The library makes extensive use of the locally defined data types
C_Block and Key_schedule. The C_Block struct is an 8-byte block used by
the various routines of the des_crypt() library as the fundamental unit
for DES data and keys.
ROUTINES
Converts a null-terminated string of arbitrary length to an 8-byte,
odd-byte-parity DES key. The str argument is a pointer to the character
string to be converted and key points to a C_Block supplied by the
caller to receive the generated key. The one-way function used to con‐
vert the string to a key makes it very difficult for anyone to recon‐
struct the string from the key. No meaningful value is returned.
des_is_weak_key() checks a new key input by a user to determine if it
belongs to the well known set of DES keys which do not provide good
cryptographic behavior. If a key passes the inspection of
des_is_weak_key(), then it can be used with the des_quad_cksum() rou‐
tine. The input is a DES key and the output is equal to 1 if the key is
not a safe key to use; it is equal to 0 if it is safe to use. Produces
a checksum by chaining quadratic operations on cleartext data.
des_quad_cksum() can be used to produce a normal quadratic checksum
and, if used with the DES key shared between two authenticated Kerberos
principals, it can also provide for the integrity and authentication
protection of data sent from one principal to another.
Input of length bytes are run through the des_quad_cksum() rou‐
tine iterations times to produce output. If output is NULL, one
iteration is performed and output is not affected. If output is
not NULL, the quadratic checksum algorithm will be performed
iterations times on input, placing eight bytes (two longwords)
of result in output for each iteration. At all times, the low-
order bits of the last quadratic checksum algorithm pass are
returned by des_quad_cksum().
The quadratic checksum algorithm performs a checksum on a few
bytes of data and feeds the result into the algorithm as an
addition input to the checksum on the next few bytes. The seed
serves as the additional input for the first checksum operation
and, therefore, the final checksum that results depends upon the
seed input into the algorithm. If the DES key shared between
two Kerberos principals is used as the initial seed, then since
the checksum that results depends upon the seed, the ability to
produce the checksum proves identity and authentication. Also,
since the message cannot be altered without knowledge of the
seed, it also provides for data integrity. des_key_sched() is
used to convert the key input into a new format that can be used
readily with encryption functions. The result, schedule, can be
used with the krb_sendmutual() functions to enable mutual
authentication of two Kerberos principals.
A 0 is returned from des_key_sched() if successful. A -1 is
returned if the each byte of the key does not have odd parity.
A -2 is returned if the key is a weak key as defined by
des_is_weak_key().
des_crypt(3)
