[u/mdw/catacomb] / catcrypt.1

.\" -*-nroff-*-
.de VS
.sp 1
.RS
.nf
.ft B
..
.de VE
.ft R
.fi
.RE
.sp 1
..
.ie t \{\
.  if \n(.g \{\
.    fam P
.  \}
.\}
.de hP
.IP
.ft B
\h'-\w'\\$1\ 'u'\\$1\ \c
.ft P
..
.ie t .ds o \(bu
.el .ds o o
.TH catcrypt 1 "30 September 2004" "Straylight/Edgeware" "Catacomb cryptographic library"
.SH NAME
catcrypt \- encrypt and decrypt messages
.SH SYNOPSIS
.B catcrypt
.RB [ \-k
.IR keyring ]
.I command
.PP
where
.I command
is one of:
.PP
.B help
.RI [ command ...]
.br
.B show
.RI [ item ...]
.br
.B encrypt
.RB [ \-a ]
.RB [ \-k
.IR tag ]
.RB [ \-f
.IR format ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B decrypt
.RB [ \-aqv ]
.RB [ \-f
.IR format ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B encode
.RB [ \-f
.IR format ]
.RB [ \-b
.IR boundary ]
.RB [ \-o
.IR output ]
.RI [ file ]
.br
.B encode
.RB [ \-f
.IR format ]
.RB [ \-b
.IR boundary ]
.RB [ \-o
.IR output ]
.RI [ file ]
.SH "DESCRIPTION"
The
.B catcrypt
command encrypts and decrypts messages.  It also works as a simple PEM
encoder and decoder.  It provides a number of subcommands, by which the
various operations may be carried out.
.SS "Global options"
Before the command name,
.I "global options"
may be given.  The following global options are supported:
.TP
.BR "\-h, \-\-help " [ \fIcommand ...]
Writes a brief summary of
.BR catcrypt 's
various options to standard output, and returns a successful exit
status.  With command names, gives help on those commands.
.TP
.B "\-v, \-\-version"
Writes the program's version number to standard output, and returns a
successful exit status.
.TP
.B "\-u, \-\-usage"
Writes a very terse command line summary to standard output, and returns
a successful exit status.
.TP
.BI "\-k, \-\-keyring " file
Names the keyring file which
.B key
is to process.  The default keyring, used if this option doesn't specify
one, is the file named
.B keyring
in the current directory.  See
.BR key (1)
and
.BR keyring (5)
for more details about keyring files.
.SH "KEY SETUP"
Algorithms to be used with a particular key are described by attributes
on the key, or its type.  The
.B catcrypt
command deals with both signing and key-encapsulation keys.
.SS "Key-encapsulation keys"
(Key encapsulation is a means of transmitting a short, known, random
secret to a recipient.  It differs from encryption in technical ways
which are largely uninteresting at this point.)
.PP
A
.I kemalgspec
has the syntax
.IR kem \c
.RB [ / \c
.IR cipher \c
.RB [ / \c
.IR hash ]].
If a
.B kem
attribute is present on the key, then it must have this form; otherwise,
the key's type must have the form
.BR cckem- \c
.IR kemalgspec .
Algorithm selections are taken from appropriately-named attributes, or,
failing that, from the
.IR kemalgspec .
.PP
The key-encapsulation mechanism is chosen according to the setting of
.I kem
as follows.  Run
.B catcrypt show kem
for a list of supported KEMs.
.TP
.B rsa
This is Shoup's RSA-KEM (formerly Simple RSA); see
.I
A proposal for an ISO standard for public key encryption (version 2.0)
available at
.BR http://eprint.iacr.org/2000/060/ .
Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B dh
This is standard Diffie-Hellman key exchange, hashing the resulting
shared secret to form the key, as used in, e.g., DLIES (P1363a).
Use the
.B dh
algorithm of the
.B key add
command, preferably with the
.B \-LS
options, to generate the key.
.TP
.B ec
This is the elliptic-curve analogue of
.BR dh .  Use the
.B ec
algorithm of the
.BR key (1))
command to generate the key.
.PP
As well as the KEM itself, a number of supporting algorithms are used.
These are taken from appropriately named attributes on the key or,
failing that, derived from other attributes as described below.
.TP
.B cipher
This is the symmetric encryption algorithm used for bulk data
encryption.  If there is no
.B cipher
attribute then the
.I cipher
in the
.I kemalgspec
is used; if that it absent, then the default of
.B blowfish-cbc
is used.  Run
.B catcrypt show cipher
for a list of supported symmetric encryption algorithms.
.TP
.B hash
This is the hash function used to distil entropy from the shared secret
constructed by the raw KEM.  If there is no
.B hash
attribute then the
.I hash
in the
.I kemalgspec is used; if that is absent then the default of
.B rmd160
is used.  Run
.B catcrypt show hash
for a list of supported symmetric encryption algorithms.
.TP
.B mac
This is the message authentication algorithm used during bulk data
encryption to ensure integrity of the encrypted message and defend
against chosen-ciphertext attacks.  If there is no
.B mac
attribute then
.IB hash -hmac
is chosen as a default.  Run
.B catcrypt show mac
for a list of supported message authentication algorithms.
.TP
.B kdf
This is the key derivation function used to stretch the hashed shared
secret to a sufficient length to select symmetric encryption and
authentication keys, initialization vectors and other necessary
pseudorandom quantities.  If there is no
.B kdf
attribute then
.IB hash -mgf
is chosen as a default.  Run
.B catcrypt show kdf
for a list of supported key derivation functions.
.B Caution!
Not all supported functions have the required security features: don't
override the default choice unless you know what you're doing.
.SS "Signing keys"
A
.I sigalgspec
has the form
.IR sig \c
.RB [ / \c
.IR hash ].
If a
.B sig
attribute is present on the key, then it must have this form; otherwise,
the key's type must have the form
.BI ccsig- \c
.IR sigalgspec .
Algorithm selections are taken from appropriately-named attributes, or,
failing that, from the
.IR sigalgspec .
.PP
The signature algorithm is chosen according to the setting of
.I sig
as follows.  Run
.B catcrypt show sig
for a list of supported signature algorithms.
.TP
.B rsapkcs1
This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
RFC3447; the difference is that the hash is left bare rather than being
wrapped in a DER-encoded 
.B DigestInfo
structure.  This doesn't affect security since the key can only be used
with the one hash function anyway, and dropping the DER wrapping permits
rapid adoption of new hash functions.  Regardless, use of this algorithm
is not recommended, since the padding method has been shown vulnerable
to attack.  Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B rsapss
This is the RSASSA-PSS algorithm described in RFC3447.  It is the
preferred RSA-based signature scheme.  Use the
.B rsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B dsa
This is the DSA algorithm described in FIPS180-1 and FIPS180-2.    Use the
.B dsa
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B ecdsa
This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2.  Use
the
.B ec
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.TP
.B kcdsa
This is the revised KCDSA (Korean Certificate-based Digital Signature
Algorithm) described in
.I The Revised Version of KCDSA
.RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ).
Use the
.B dh
algorithm of the
.B key add
command with the
.B \-LS
options (see
.BR key (1))
to generate the key.
.TP
.B eckcdsa
This is an unofficial elliptic-curve analogue of the KCDSA algorithm.
Use the
.B ec
algorithm of the
.B key add
command (see
.BR key (1))
to generate the key.
.PP
As well as the signature algorithm itself, a hash function is used.
This is taken from the
.B hash
attribute on the key, or, failing that, from the
.I hash
specified in the
.IR sigalgspec ,
or, if that is absent, determined by the signature algorithm as follows.
.hP \*o
For
.BR rsapkcs1 ,
.BR rsapss ,
.BR dsa ,
and
.BR ecdsa ,
the default hash function is
.BR sha .
.hP \*o
For
.BR kcdsa 
and
.BR eckcdsa ,
the default hash function is
.BR has160 .
.PP
Run
.B catcrypt show hash
for a list of supported hash functions.
.SH "ENCODINGS"
Two encodings for the ciphertext are supported.
.TP
.B binary
The raw format, which has the benefit of being smaller, but needs to be
attached to mail messages and generally handled with care.
.TP
.B pem
PEM-encapsulated Base-64 encoded text.  This format can be included
directly in email and picked out again automatically; but there is a
4-to-3 data expansion as a result.
.SH "COMMAND REFERENCE"
.SS help
The
.B help
command behaves exactly as the
.B \-\-help
option.  With no arguments, it shows an overview of
.BR catcrypt 's
options; with arguments, it describes the named subcommands.
.SS show
The
.B show
command prints various lists of tokens understood by
.BR catcrypt .
With no arguments, it prints all of the lists; with arguments, it prints
just the named lists, in order.  The recognized lists can be enumerated
using the
.VS
catcrypt show list
.VE
command.  The lists are as follows.
.TP
.B list
The lists which can be enumerated by the
.B show
command.
.TP
.B kem
The key-encapsulation algorithms which can be used in a
key-encapsulation key's
.B kem
attribute.
.TP
.B cipher
The symmetric encryption algorithms which can be used in a
key-encapsulation key's
.B cipher
attribute.
.TP
.B mac
The message authentication algorithms which can be used in a
key-encapsulation key's
.B mac
attribute.
.TP
.B sig
The signature algorithms which can be used in a signing key's
.B sig
attribute.
.TP
.B hash
The hash functions which can be used in a key's
.B hash
attribute.
.TP
.B enc
The encodings which can be applied to encrypted messages; see 
.B ENCODINGS
above.
.SS encrypt
The
.B encrypt
command encrypts a file and writes out the appropriately-encoded
ciphertext.  By default, it reads from standard input and writes to
standard output.  If a filename argument is given, this file is read
instead (as binary data).
.PP
The following options are recognized.
.TP
.B "\-a, \-\-armour"
Produce ASCII-armoured output.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
.BI "\-f, \-\-format " format
Produce output encoded according to
.IR format .
.TP
.BI "\-k, \-\-key " tag
Use the key-encapsulation key named
.I tag
in the current keyring; the default key is
.BR ccrypt .
.TP
.BI "\-s, \-\-sign-key " tag
Use the signature key named
.I tag
in the current keyring; the default is not to sign the ciphertext.
.TP
.BI "\-o, \-\-ouptut " file
Write output to
.I file
rather than to standard output.
.SS decrypt
The
.B decrypt
command decrypts a ciphertext and writes out the plaintext.  By default,
it reads from standard input and writes to standard output.  If a
filename argument is given, this file is read instead.
.PP
The following options are recognized.
.TP
.B "\-a, \-\-armour"
Read ASCII-armoured output.  This is equivalent to specifying
.BR "\-f pem" .
The variant spelling
.B "\-\-armor"
is also accepted.
.TP
.BI "\-f, \-\-format " format
Read input encoded according to
.IR format .
.TP
.B "\-v, \-\-verbose"
Produce more verbose messages.  See below for the messages produced
during decryption.  The default verbosity level is 1.  (Currently this
is the most verbose setting.  This might not be the case always.)
.TP
.B "\-q, \-\-quiet"
Produce fewer messages.
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.  The file is written in binary mode.
Fixing line-end conventions is your problem; there are lots of good
tools for dealing with it.
.PP
Output is written to standard output in a machine-readable format.
Major problems cause the program to write a diagnostic to standard error
and exit nonzero as usual.  The quantity of output varies depending on
the verbosity level and whether the plaintext is also being written to
standard output.  Output lines begin with a keyword.:
.TP
.BI "FAIL " reason
An error prevented decryption.  The program will exit nonzero.
.TP
.BI "WARN " reason
.B catcrypt
encountered a situation which may or may not invalidate the decryption.
.TP 
.BI "OK " message
Decryption was successful.  This is only produced if main output is
being sent somewhere other than standard output.
.TP
.B "DATA"
The plaintext follows, starting just after the next newline character or
sequence.  This is only produced if main output is being sent to
standard output.  If anything goes wrong, a
.B FAIL
message is printed, preceded and followed by a newline, and the program
exits nonzero.
.TP
.BI "INFO " note
Any other information.
.PP
The information written at the various verbosity levels is as follows.
.hP 0.
No output.  Watch the exit status.
.hP 1.
All messages.
.PP
.B Warning!
All output written has been checked for authenticity.  However, since
the input is chunked, a chunk will be checked and written before the
authenticity of following chunks is established.  Don't rely on the
output being complete until
.B catcrypt decrypt
prints
.B OK
and/or exits successfully.
.SS "encode"
The
.B encode
command encodes an input file according to one of the encodings
described above in
.BR ENCODINGS .
The input is read from the 
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.TP
.BI "\-f, \-\-format " format
Produce output in
.IR format .
Run
.B catcrypt show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
Set the PEM boundary string to
.IR label ;
i.e., assuming we're encoding in PEM format, the output will have
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
at the top and
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
at the bottom.  The default
.I label
is
.BR MESSAGE .
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.
.SS "decode"
The
.B decode
command decodes an input file encoded according to one of the encodings
described above in
.BR ENCODINGS .
The input is read from the 
.I file
given on the command line, or from standard input if none is specified.
Options provided are:
.TP
.BI "\-f, \-\-format " format
Decode input in
.IR format .
Run
.B catcrypt show enc
for a list of encoding formats.
.TP
.BI "\-b, \-\-boundary " label
Set the PEM boundary string to
.IR label ;
i.e., assuming we're encoding in PEM format, start processing input
between
.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
and 
.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
lines.  Without this option,
.B catcrypt
will start reading at the first plausible boundary string, and continue
processing until it reaches the matching end boundary.
.TP
.BI "\-o, \-\-output " file
Write output to
.I file
instead of to standard output.
.SH "SECURITY PROPERTIES"
Assuming the security of the underlying primitive algorithms, the
following security properties of the ciphertext hold.
.hP \*o
An adversary given the public key-encapsulation key and capable of
requesting encryption of arbitrary plaintexts of his own devising is
unable to decide whether he is given ciphertexts corresponding to his
chosen plaintexts or random plaintexts of the same length.  This holds
even if the adversary is permitted to request decryption of any
ciphertext other than one produced as a result of an encryption request.
This property is called
.BR IND-CCA2 .
.hP \*o
An adversary given the public key-encapsulation and verification keys,
and capable of requesting encryption of arbitrary plaintext of his own
devising is unable to produce a new ciphertext which will be accepted as
genuine.  This property is called
.BR INT-CTXT .
.hP \*o
An adversary given the public key-encapsulation and verification keys,
and capable of requesting encryption of arbitrary plaintext of his own
devising is unable to decide whether the ciphertexts he is given are
correctly signed.  This property doesn't seem to have a name.
.PP
Not all is rosy.  If you leak intermediate values during decryption then
an adversary can construct a new correctly-signed message.  Don't do
that, then \(en leaking intermediate values often voids security
warranties.  But it does avoid the usual problem with separate signing
and encryption that a careful leak by the recipient can produce evidence
that you signed some incriminating message.
.SH "CRYPTOGRAPHIC THEORY"
Encryption of a message proceeds as follows.
.hP 0.
Emit a header packet containing the key-ids for the key-encapsulation
key, and signature key if any.
.hP 1.
Use the KEM to produce a public value and a shared secret the recipient
will be able to extract from the public value using his private key.
Emit a packet containing the public value.
.hP 2.
Hash the shared secret.  Use the KDF to produce a pseudorandom keystream
of indefinite length.
.hP 3.
Use the first bits of the keystream to key a symmetric encryption
scheme; use the next bits to key a message authentication code.
.hP 4.
If we're signing the message then extract 1024 bytes from the keystream,
sign them, and emit a packet containing the signature.  The signature
packet doesn't contain the signed message, just the signature.
.hP 5.
Split the message into blocks.  For each block, pick a random IV from
the keystream, encrypt the block and emit a packet containing the
IV, ciphertext and a MAC tag.
.PP
That's it.  Nothing terribly controversial, really.
.SH "SEE ALSO"
.BR key (1),
.BR dsig (1),
.BR hashsum (1),
.BR keyring (5).
.SH AUTHOR
Mark Wooding, <mdw@nsict.org>
Commit	Line	Data
c65df279	1	.\" --nroff--
	2	.de VS
	3	.sp 1
	4	.RS
	5	.nf
	6	.ft B
	7	..
	8	.de VE
	9	.ft R
	10	.fi
	11	.RE
	12	.sp 1
	13	..
	14	.ie t \{\
	15	. if \n(.g \{\
	16	. fam P
	17	. \}
	18	.\}
	19	.de hP
	20	.IP
	21	.ft B
	22	\h'-\w'\\$1\ 'u'\\$1\ \c
	23	.ft P
	24	..
	25	.ie t .ds o \(bu
	26	.el .ds o o
	27	.TH catcrypt 1 "30 September 2004" "Straylight/Edgeware" "Catacomb cryptographic library"
	28	.SH NAME
	29	catcrypt \- encrypt and decrypt messages
	30	.SH SYNOPSIS
	31	.B catcrypt
	32	.RB [ \-k
	33	.IR keyring ]
	34	.I command
	35	.PP
	36	where
	37	.I command
	38	is one of:
	39	.PP
	40	.B help
	41	.RI [ command ...]
	42	.br
	43	.B show
	44	.RI [ item ...]
	45	.br
	46	.B encrypt
	47	.RB [ \-a ]
	48	.RB [ \-k
	49	.IR tag ]
	50	.RB [ \-f
	51	.IR format ]
	52	.RB [ \-o
	53	.IR output ]
	54	.RI [ file ]
	55	.br
	56	.B decrypt
	57	.RB [ \-aqv ]
	58	.RB [ \-f
	59	.IR format ]
	60	.RB [ \-o
	61	.IR output ]
	62	.RI [ file ]
	63	.br
	64	.B encode
65	.RB [ \-f
66	.IR format ]
67	.RB [ \-b
68	.IR boundary ]
69	.RB [ \-o
70	.IR output ]
71	.RI [ file ]
72	.br
73	.B encode
74	.RB [ \-f
75	.IR format ]
76	.RB [ \-b
77	.IR boundary ]
78	.RB [ \-o
79	.IR output ]
80	.RI [ file ]
81	.SH "DESCRIPTION"
82	The
83	.B catcrypt
84	command encrypts and decrypts messages. It also works as a simple PEM
85	encoder and decoder. It provides a number of subcommands, by which the
86	various operations may be carried out.
87	.SS "Global options"
88	Before the command name,
89	.I "global options"
90	may be given. The following global options are supported:
91	.TP
92	.BR "\-h, \-\-help " [ \fIcommand ...]
93	Writes a brief summary of
94	.BR catcrypt 's
95	various options to standard output, and returns a successful exit
96	status. With command names, gives help on those commands.
97	.TP
98	.B "\-v, \-\-version"
99	Writes the program's version number to standard output, and returns a
100	successful exit status.
101	.TP
102	.B "\-u, \-\-usage"
103	Writes a very terse command line summary to standard output, and returns
104	a successful exit status.
105	.TP
106	.BI "\-k, \-\-keyring " file
107	Names the keyring file which
108	.B key
109	is to process. The default keyring, used if this option doesn't specify
110	one, is the file named
111	.B keyring
112	in the current directory. See
113	.BR key (1)
114	and
115	.BR keyring (5)
116	for more details about keyring files.
117	.SH "KEY SETUP"
118	Algorithms to be used with a particular key are described by attributes
119	on the key, or its type. The
120	.B catcrypt
121	command deals with both signing and key-encapsulation keys.
122	.SS "Key-encapsulation keys"
123	(Key encapsulation is a means of transmitting a short, known, random
124	secret to a recipient. It differs from encryption in technical ways
125	which are largely uninteresting at this point.)
126	.PP
127	A
128	.I kemalgspec
129	has the syntax
130	.IR kem \c
131	.RB [ / \c
132	.IR cipher \c
133	.RB [ / \c
134	.IR hash ]].
135	If a
136	.B kem
137	attribute is present on the key, then it must have this form; otherwise,
138	the key's type must have the form
139	.BR cckem- \c
140	.IR kemalgspec .
141	Algorithm selections are taken from appropriately-named attributes, or,
142	failing that, from the
143	.IR kemalgspec .
144	.PP
145	The key-encapsulation mechanism is chosen according to the setting of
146	.I kem
147	as follows. Run
148	.B catcrypt show kem
149	for a list of supported KEMs.
150	.TP
151	.B rsa
152	This is Shoup's RSA-KEM (formerly Simple RSA); see
153	.I
154	A proposal for an ISO standard for public key encryption (version 2.0)
155	available at
156	.BR http://eprint.iacr.org/2000/060/ .
157	Use the
158	.B rsa
159	algorithm of the
160	.B key add
161	command (see
162	.BR key (1))
163	to generate the key.
164	.TP
165	.B dh
166	This is standard Diffie-Hellman key exchange, hashing the resulting
167	shared secret to form the key, as used in, e.g., DLIES (P1363a).
168	Use the
169	.B dh
170	algorithm of the
171	.B key add
172	command, preferably with the
173	.B \-LS
174	options, to generate the key.
175	.TP
176	.B ec
177	This is the elliptic-curve analogue of
178	.BR dh . Use the
179	.B ec
180	algorithm of the
181	.BR key (1))
182	command to generate the key.
183	.PP
184	As well as the KEM itself, a number of supporting algorithms are used.
185	These are taken from appropriately named attributes on the key or,
186	failing that, derived from other attributes as described below.
187	.TP
188	.B cipher
189	This is the symmetric encryption algorithm used for bulk data
190	encryption. If there is no
191	.B cipher
192	attribute then the
193	.I cipher
194	in the
195	.I kemalgspec
196	is used; if that it absent, then the default of
197	.B blowfish-cbc
198	is used. Run
199	.B catcrypt show cipher
200	for a list of supported symmetric encryption algorithms.
201	.TP
202	.B hash
203	This is the hash function used to distil entropy from the shared secret
204	constructed by the raw KEM. If there is no
205	.B hash
206	attribute then the
207	.I hash
208	in the
209	.I kemalgspec is used; if that is absent then the default of
210	.B rmd160
211	is used. Run
212	.B catcrypt show hash
213	for a list of supported symmetric encryption algorithms.
214	.TP
215	.B mac
216	This is the message authentication algorithm used during bulk data
217	encryption to ensure integrity of the encrypted message and defend
218	against chosen-ciphertext attacks. If there is no
219	.B mac
220	attribute then
221	.IB hash -hmac
222	is chosen as a default. Run
223	.B catcrypt show mac
224	for a list of supported message authentication algorithms.
225	.TP
226	.B kdf
227	This is the key derivation function used to stretch the hashed shared
228	secret to a sufficient length to select symmetric encryption and
229	authentication keys, initialization vectors and other necessary
230	pseudorandom quantities. If there is no
231	.B kdf
232	attribute then
233	.IB hash -mgf
234	is chosen as a default. Run
235	.B catcrypt show kdf
236	for a list of supported key derivation functions.
237	.B Caution!
238	Not all supported functions have the required security features: don't
239	override the default choice unless you know what you're doing.
240	.SS "Signing keys"
241	A
242	.I sigalgspec
243	has the form
244	.IR sig \c
245	.RB [ / \c
246	.IR hash ].
247	If a
248	.B sig
249	attribute is present on the key, then it must have this form; otherwise,
250	the key's type must have the form
251	.BI ccsig- \c
252	.IR sigalgspec .
253	Algorithm selections are taken from appropriately-named attributes, or,
254	failing that, from the
255	.IR sigalgspec .
256	.PP
257	The signature algorithm is chosen according to the setting of
258	.I sig
259	as follows. Run
260	.B catcrypt show sig
261	for a list of supported signature algorithms.
262	.TP
263	.B rsapkcs1
264	This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
265	RFC3447; the difference is that the hash is left bare rather than being
266	wrapped in a DER-encoded
267	.B DigestInfo
268	structure. This doesn't affect security since the key can only be used
269	with the one hash function anyway, and dropping the DER wrapping permits
270	rapid adoption of new hash functions. Regardless, use of this algorithm
271	is not recommended, since the padding method has been shown vulnerable
272	to attack. Use the
273	.B rsa
274	algorithm of the
275	.B key add
276	command (see
277	.BR key (1))
278	to generate the key.
279	.TP
280	.B rsapss
281	This is the RSASSA-PSS algorithm described in RFC3447. It is the
282	preferred RSA-based signature scheme. Use the
283	.B rsa
284	algorithm of the
285	.B key add
286	command (see
287	.BR key (1))
288	to generate the key.
289	.TP
290	.B dsa
291	This is the DSA algorithm described in FIPS180-1 and FIPS180-2. Use the
292	.B dsa
293	algorithm of the
294	.B key add
295	command (see
296	.BR key (1))
297	to generate the key.
298	.TP
299	.B ecdsa
300	This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2. Use
301	the
302	.B ec
303	algorithm of the
304	.B key add
305	command (see
306	.BR key (1))
307	to generate the key.
308	.TP
309	.B kcdsa
310	This is the revised KCDSA (Korean Certificate-based Digital Signature
311	Algorithm) described in
312	.I The Revised Version of KCDSA
313	.RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ).
314	Use the
315	.B dh
316	algorithm of the
317	.B key add
318	command with the
319	.B \-LS
320	options (see
321	.BR key (1))
322	to generate the key.
323	.TP
324	.B eckcdsa
325	This is an unofficial elliptic-curve analogue of the KCDSA algorithm.
326	Use the
327	.B ec
328	algorithm of the
329	.B key add
330	command (see
331	.BR key (1))
332	to generate the key.
333	.PP
334	As well as the signature algorithm itself, a hash function is used.
335	This is taken from the
336	.B hash
337	attribute on the key, or, failing that, from the
338	.I hash
339	specified in the
340	.IR sigalgspec ,
341	or, if that is absent, determined by the signature algorithm as follows.
342	.hP \*o
343	For
344	.BR rsapkcs1 ,
345	.BR rsapss ,
346	.BR dsa ,
347	and
348	.BR ecdsa ,
349	the default hash function is
350	.BR sha .
351	.hP \*o
352	For
353	.BR kcdsa
354	and
355	.BR eckcdsa ,
356	the default hash function is
357	.BR has160 .
358	.PP
359	Run
360	.B catcrypt show hash
361	for a list of supported hash functions.
362	.SH "ENCODINGS"
363	Two encodings for the ciphertext are supported.
364	.TP
365	.B binary
366	The raw format, which has the benefit of being smaller, but needs to be
367	attached to mail messages and generally handled with care.
368	.TP
369	.B pem
370	PEM-encapsulated Base-64 encoded text. This format can be included
371	directly in email and picked out again automatically; but there is a
372	4-to-3 data expansion as a result.
373	.SH "COMMAND REFERENCE"
374	.SS help
375	The
376	.B help
377	command behaves exactly as the
378	.B \-\-help
379	option. With no arguments, it shows an overview of
380	.BR catcrypt 's
381	options; with arguments, it describes the named subcommands.
382	.SS show
383	The
384	.B show
385	command prints various lists of tokens understood by
386	.BR catcrypt .
387	With no arguments, it prints all of the lists; with arguments, it prints
388	just the named lists, in order. The recognized lists can be enumerated
389	using the
390	.VS
391	catcrypt show list
392	.VE
393	command. The lists are as follows.
394	.TP
395	.B list
396	The lists which can be enumerated by the
397	.B show
398	command.
399	.TP
400	.B kem
401	The key-encapsulation algorithms which can be used in a
402	key-encapsulation key's
403	.B kem
404	attribute.
405	.TP
406	.B cipher
407	The symmetric encryption algorithms which can be used in a
408	key-encapsulation key's
409	.B cipher
410	attribute.
411	.TP
412	.B mac
413	The message authentication algorithms which can be used in a
414	key-encapsulation key's
415	.B mac
416	attribute.
417	.TP
418	.B sig
419	The signature algorithms which can be used in a signing key's
420	.B sig
421	attribute.
422	.TP
423	.B hash
424	The hash functions which can be used in a key's
425	.B hash
426	attribute.
427	.TP
428	.B enc
429	The encodings which can be applied to encrypted messages; see
430	.B ENCODINGS
431	above.
432	.SS encrypt
433	The
434	.B encrypt
435	command encrypts a file and writes out the appropriately-encoded
436	ciphertext. By default, it reads from standard input and writes to
437	standard output. If a filename argument is given, this file is read
438	instead (as binary data).
439	.PP
440	The following options are recognized.
441	.TP
442	.B "\-a, \-\-armour"
443	Produce ASCII-armoured output. This is equivalent to specifying
444	.BR "\-f pem" .
445	The variant spelling
446	.B "\-\-armor"
447	is also accepted.
448	.TP
449	.BI "\-f, \-\-format " format
450	Produce output encoded according to
451	.IR format .
452	.TP
453	.BI "\-k, \-\-key " tag
454	Use the key-encapsulation key named
455	.I tag
456	in the current keyring; the default key is
457	.BR ccrypt .
458	.TP
459	.BI "\-s, \-\-sign-key " tag
460	Use the signature key named
461	.I tag
462	in the current keyring; the default is not to sign the ciphertext.
463	.TP
464	.BI "\-o, \-\-ouptut " file
465	Write output to
466	.I file
467	rather than to standard output.
468	.SS decrypt
469	The
470	.B decrypt
471	command decrypts a ciphertext and writes out the plaintext. By default,
472	it reads from standard input and writes to standard output. If a
473	filename argument is given, this file is read instead.
474	.PP
475	The following options are recognized.
476	.TP
477	.B "\-a, \-\-armour"
478	Read ASCII-armoured output. This is equivalent to specifying
479	.BR "\-f pem" .
480	The variant spelling
481	.B "\-\-armor"
482	is also accepted.
483	.TP
484	.BI "\-f, \-\-format " format
485	Read input encoded according to
486	.IR format .
487	.TP
488	.B "\-v, \-\-verbose"
489	Produce more verbose messages. See below for the messages produced
490	during decryption. The default verbosity level is 1. (Currently this
491	is the most verbose setting. This might not be the case always.)
492	.TP
493	.B "\-q, \-\-quiet"
494	Produce fewer messages.
495	.TP
496	.BI "\-o, \-\-output " file
497	Write output to
498	.I file
499	instead of to standard output. The file is written in binary mode.
500	Fixing line-end conventions is your problem; there are lots of good
501	tools for dealing with it.
502	.PP
503	Output is written to standard output in a machine-readable format.
504	Major problems cause the program to write a diagnostic to standard error
505	and exit nonzero as usual. The quantity of output varies depending on
506	the verbosity level and whether the plaintext is also being written to
507	standard output. Output lines begin with a keyword.:
508	.TP
509	.BI "FAIL " reason
510	An error prevented decryption. The program will exit nonzero.
511	.TP
512	.BI "WARN " reason
513	.B catcrypt
514	encountered a situation which may or may not invalidate the decryption.
515	.TP
516	.BI "OK " message
517	Decryption was successful. This is only produced if main output is
518	being sent somewhere other than standard output.
519	.TP
520	.B "DATA"
521	The plaintext follows, starting just after the next newline character or
522	sequence. This is only produced if main output is being sent to
523	standard output. If anything goes wrong, a
524	.B FAIL
525	message is printed, preceded and followed by a newline, and the program
526	exits nonzero.
527	.TP
528	.BI "INFO " note
529	Any other information.
530	.PP
531	The information written at the various verbosity levels is as follows.
532	.hP 0.
533	No output. Watch the exit status.
534	.hP 1.
535	All messages.
536	.PP
537	.B Warning!
538	All output written has been checked for authenticity. However, since
539	the input is chunked, a chunk will be checked and written before the
540	authenticity of following chunks is established. Don't rely on the
541	output being complete until
542	.B catcrypt decrypt
543	prints
544	.B OK
545	and/or exits successfully.
546	.SS "encode"
547	The
548	.B encode
549	command encodes an input file according to one of the encodings
550	described above in
551	.BR ENCODINGS .
552	The input is read from the
553	.I file
554	given on the command line, or from standard input if none is specified.
555	Options provided are:
556	.TP
557	.BI "\-f, \-\-format " format
558	Produce output in
559	.IR format .
560	Run
561	.B catcrypt show enc
562	for a list of encoding formats.
563	.TP
564	.BI "\-b, \-\-boundary " label
565	Set the PEM boundary string to
566	.IR label ;
567	i.e., assuming we're encoding in PEM format, the output will have
568	.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
569	at the top and
570	.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
571	at the bottom. The default
572	.I label
573	is
574	.BR MESSAGE .
575	.TP
576	.BI "\-o, \-\-output " file
577	Write output to
578	.I file
579	instead of to standard output.
580	.SS "decode"
581	The
582	.B decode
583	command decodes an input file encoded according to one of the encodings
584	described above in
585	.BR ENCODINGS .
586	The input is read from the
587	.I file
588	given on the command line, or from standard input if none is specified.
589	Options provided are:
590	.TP
591	.BI "\-f, \-\-format " format
592	Decode input in
593	.IR format .
594	Run
595	.B catcrypt show enc
596	for a list of encoding formats.
597	.TP
598	.BI "\-b, \-\-boundary " label
599	Set the PEM boundary string to
600	.IR label ;
601	i.e., assuming we're encoding in PEM format, start processing input
602	between
603	.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
604	and
605	.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
606	lines. Without this option,
607	.B catcrypt
608	will start reading at the first plausible boundary string, and continue
609	processing until it reaches the matching end boundary.
610	.TP
611	.BI "\-o, \-\-output " file
612	Write output to
613	.I file
614	instead of to standard output.
615	.SH "SECURITY PROPERTIES"
616	Assuming the security of the underlying primitive algorithms, the
617	following security properties of the ciphertext hold.
618	.hP \*o
619	An adversary given the public key-encapsulation key and capable of
620	requesting encryption of arbitrary plaintexts of his own devising is
621	unable to decide whether he is given ciphertexts corresponding to his
622	chosen plaintexts or random plaintexts of the same length. This holds
623	even if the adversary is permitted to request decryption of any
624	ciphertext other than one produced as a result of an encryption request.
625	This property is called
626	.BR IND-CCA2 .
627	.hP \*o
628	An adversary given the public key-encapsulation and verification keys,
629	and capable of requesting encryption of arbitrary plaintext of his own
630	devising is unable to produce a new ciphertext which will be accepted as
631	genuine. This property is called
632	.BR INT-CTXT .
633	.hP \*o
634	An adversary given the public key-encapsulation and verification keys,
635	and capable of requesting encryption of arbitrary plaintext of his own
636	devising is unable to decide whether the ciphertexts he is given are
637	correctly signed. This property doesn't seem to have a name.
638	.PP
639	Not all is rosy. If you leak intermediate values during decryption then
640	an adversary can construct a new correctly-signed message. Don't do
641	that, then \(en leaking intermediate values often voids security
642	warranties. But it does avoid the usual problem with separate signing
643	and encryption that a careful leak by the recipient can produce evidence
644	that you signed some incriminating message.
645	.SH "CRYPTOGRAPHIC THEORY"
646	Encryption of a message proceeds as follows.
647	.hP 0.
648	Emit a header packet containing the key-ids for the key-encapsulation
649	key, and signature key if any.
650	.hP 1.
651	Use the KEM to produce a public value and a shared secret the recipient
652	will be able to extract from the public value using his private key.
653	Emit a packet containing the public value.
654	.hP 2.
655	Hash the shared secret. Use the KDF to produce a pseudorandom keystream
656	of indefinite length.
657	.hP 3.
658	Use the first bits of the keystream to key a symmetric encryption
659	scheme; use the next bits to key a message authentication code.
660	.hP 4.
661	If we're signing the message then extract 1024 bytes from the keystream,
662	sign them, and emit a packet containing the signature. The signature
663	packet doesn't contain the signed message, just the signature.
664	.hP 5.
665	Split the message into blocks. For each block, pick a random IV from
666	the keystream, encrypt the block and emit a packet containing the
667	IV, ciphertext and a MAC tag.
668	.PP
669	That's it. Nothing terribly controversial, really.
670	.SH "SEE ALSO"
671	.BR key (1),
672	.BR dsig (1),
673	.BR hashsum (1),
674	.BR keyring (5).
675	.SH AUTHOR
676	Mark Wooding, <mdw@nsict.org>