The DES encryption scheme is derived from the NBS Data Encryption Standard. Additional code has been added to deter key search attempts and to use stronger hashing algorithms. In the DES case, the second argument to
crypt() is a character array, 9 bytes in length, consisting of an underscore (``_'') followed by 4 bytes of iteration count and 4 bytes of salt. Both the iteration
count and the
salt are encoded with 6 bits per character, least significant bits first. The values 0 to 63 are encoded by the characters ``./0-9A-Za-z'', respectively.
The
salt is used to induce disorder in to the DES algorithm in one of 16777216 possible ways (specifically, if bit
i of the
salt is set then bits
i and
i+24 are swapped in the DES ``E'' box output). The
key is divided into groups of 8 characters (a short final group is null-padded) and the low-order 7 bits of each character (56 bits per group) are used to form the DES key as follows: the first group of 56 bits becomes the initial DES key. For each additional group, the XOR of the group bits and the encryption of the DES key with itself becomes the next DES key. Then the final DES key is used to perform
count cumulative encryptions of a 64-bit constant. The value returned is a
NUL-terminated string, 20 bytes in length, consisting of the
setting followed by the encoded 64-bit encryption.
For compatibility with historical versions of
crypt(3), the
setting may consist of 2 bytes of salt, encoded as above, in which case an iteration
count of 25 is used, fewer perturbations of DES are available, at most 8 characters of
key are used, and the returned value is a
NUL-terminated string 13 bytes in length.
The functions
encrypt(),
setkey(),
des_setkey() and
des_cipher() allow limited access to the DES algorithm itself. The
key argument to
setkey() is a 64 character array of binary values (numeric 0 or 1). A 56-bit key is derived from this array by dividing the array into groups of 8 and ignoring the last bit in each group.
The
encrypt() argument
block is also a 64 character array of binary values. If the value of
flag is 0, the argument
block is encrypted, otherwise it is decrypted. The encryption or decryption is returned in the original array
block after using the key specified by
setkey() to process it.
The
des_setkey() and
des_cipher() functions are faster but less portable than
setkey() and
encrypt(). The argument to
des_setkey() is a character array of length 8. The
least significant bit in each character is ignored and the next 7 bits of each character are concatenated to yield a 56-bit key. The function
des_cipher() encrypts (or decrypts if
count is negative) the 64-bits stored in the 8 characters at
in using
abs(3) of
count iterations of DES and stores the 64-bit result in the 8 characters at
out. The
salt specifies perturbations to DES as described above.