1.1 DES in CBC Mode (DES-CBC)

Message text and, if required, message signatures are encrypted using the Data Encryption Standard (DES) algorithm in the Cipher Block Chaining (CBC) mode of operation. The DES algorithm is defined in FIPS PUB 46-1 [1], and is equivalent to the Data Encryption Algorithm (DEA) provided in ANSI X3.92-1981 [2]. The CBC mode of operation of DES is defined in FIPS PUB 81 [3], and is equivalent to those provided in ANSI X3.106 [4] and in ISO IS 8372 [5]. The character string "DES-CBC" within an encapsulated PEM header field indicates the use of this algorithm/mode combination.

The input to the DES CBC encryption process shall be padded to a multiple of 8 octets, in the following manner. Let n be the length in octets of the input. Pad the input by appending 8-(n mod 8) octets to the end of the message, each having the value 8-(n mod 8), the number of octets being added. In hexadecimal, the possible paddings are: 01, 0202, 030303, 04040404, 0505050505, 060606060606, 07070707070707, and 0808080808080808. All input is padded with 1 to 8 octets to produce a multiple of 8 octets in length. The padding can be removed unambiguously after decryption.

The DES CBC encryption process requires a 64-bit cryptographic key. A new, pseudorandom key shall be generated for each ENCRYPTED PEM message. Of the 64 bits, 56 are used directly by the DES CBC process, and 8 are odd parity bits, with one parity bit occupying the right-most bit of each octet. When symmetric key management is employed, the setting and checking of odd parity bits is encouraged, since these bits could detect an error in the decryption of a DES key encrypted under a symmetric key management algorithm (e.g., DES ECB). When asymmetric key management is employed, the setting of odd parity bits is encouraged, but the checking of odd parity bits is discouraged, in order to facilitate interoperability, and since an error in the decryption of a DES key can be detected by other means (e.g., an incorrect PKCS #1 encryption-block format). In all cases, the encrypted form of a DES key shall carry all 64 bits of the key, including the 8 parity bits, though those bits may have no meaning.

The DES CBC encryption process also requires a 64-bit Initialization Vector (IV). A new, pseudorandom IV shall be generated for each ENCRYPTED PEM message. Section 4.3.1 of [7] provides rationale for this requirement, even given the fact that individual DES keys are generated for individual messages. The IV is transmitted with the message within an encapsulated PEM header field.

When this algorithm/mode combination is used for message text encryption, the "DEK-Info:" header field carries exactly two arguments. The first argument identifies the DES CBC algorithm/mode using the character string defined above. The second argument contains the IV, represented as a contiguous string of 16 ASCII hexadecimal digits.

When symmetric key management is employed with this algorithm/mode combination, a symmetrically encrypted DES key will be represented in the third argument of a "Key-Info:" header field as a contiguous string of 16 ASCII hexadecimal digits (corresponding to a 64-bit key).

To avoid any potential ambiguity regarding the ordering of the octets of a DES key that is input as a data value to another encryption process (e.g., RSAEncryption), the following holds true. The first (or left-most displayed, if one thinks in terms of a key's "print" representation) (For purposes of discussion in this document, data values are normalized in terms of their "print" representation. For a octet stream, the "first" octet would appear as the one on the "left", and the "last" octet would appear on the "right".) octet of the key (i.e., bits 1-8 per FIPS PUB 46-1), when considered as a data value, has numerical weight 2**56. The last (or right-most displayed) octet (i.e., bits 57-64 per FIPS PUB 46-1) has numerical weight 2**0.