+++ /dev/null
-.\" -*-nroff-*-
-.de VS
-.sp 1
-.RS
-.nf
-.ft B
-..
-.de VE
-.ft R
-.fi
-.RE
-.sp 1
-..
-.ie t \{\
-. if \n(.g \{\
-. fam P
-. \}
-.\}
-.de hP
-.IP
-.ft B
-\h'-\w'\\$1\ 'u'\\$1\ \c
-.ft P
-..
-.ie t .ds o \(bu
-.el .ds o o
-.TH catcrypt 1 "30 September 2004" "Straylight/Edgeware" "Catacomb cryptographic library"
-.SH NAME
-catcrypt \- encrypt and decrypt messages
-.SH SYNOPSIS
-.B catcrypt
-.RB [ \-k
-.IR keyring ]
-.I command
-.PP
-where
-.I command
-is one of:
-.PP
-.B help
-.RI [ command ...]
-.br
-.B show
-.RI [ item ...]
-.br
-.B encrypt
-.RB [ \-apC ]
-.RB [ \-k
-.IR tag ]
-.RB [ \-f
-.IR format ]
-.RB [ \-o
-.IR output ]
-.RI [ file ]
-.br
-.B decrypt
-.RB [ \-apqvC ]
-.RB [ \-f
-.IR format ]
-.RB [ \-o
-.IR output ]
-.RI [ file ]
-.br
-.B encode
-.RB [ \-p ]
-.RB [ \-f
-.IR format ]
-.RB [ \-b
-.IR boundary ]
-.RB [ \-o
-.IR output ]
-.RI [ file ]
-.br
-.B decode
-.RB [ \-p ]
-.RB [ \-f
-.IR format ]
-.RB [ \-b
-.IR boundary ]
-.RB [ \-o
-.IR output ]
-.RI [ file ]
-.SH "DESCRIPTION"
-The
-.B catcrypt
-command encrypts and decrypts messages. It also works as a simple PEM
-encoder and decoder. It provides a number of subcommands, by which the
-various operations may be carried out.
-.SS "Global options"
-Before the command name,
-.I "global options"
-may be given. The following global options are supported:
-.TP
-.BR "\-h, \-\-help " [ \fIcommand ...]
-Writes a brief summary of
-.BR catcrypt 's
-various options to standard output, and returns a successful exit
-status. With command names, gives help on those commands.
-.TP
-.B "\-v, \-\-version"
-Writes the program's version number to standard output, and returns a
-successful exit status.
-.TP
-.B "\-u, \-\-usage"
-Writes a very terse command line summary to standard output, and returns
-a successful exit status.
-.TP
-.BI "\-k, \-\-keyring " file
-Names the keyring file which
-.B key
-is to process. The default keyring, used if this option doesn't specify
-one, is the file named
-.B keyring
-in the current directory. See
-.BR key (1)
-and
-.BR keyring (5)
-for more details about keyring files.
-.SH "KEY SETUP"
-Algorithms to be used with a particular key are described by attributes
-on the key, or its type. The
-.B catcrypt
-command deals with both signing and key-encapsulation keys. (Note that
-.B catcrypt
-uses signing keys in the same way as
-.BR catsign (1).)
-.SS "Key-encapsulation keys"
-(Key encapsulation is a means of transmitting a short, known, random
-secret to a recipient. It differs from encryption in technical ways
-which are largely uninteresting at this point.)
-.PP
-A
-.I kemalgspec
-has the syntax
-.IR kem \c
-.RB [ / \c
-.IR cipher \c
-.RB [ / \c
-.IR hash ]].
-If a
-.B kem
-attribute is present on the key, then it must have this form; otherwise,
-the key's type must have the form
-.BR cckem- \c
-.IR kemalgspec .
-Algorithm selections are taken from appropriately-named attributes, or,
-failing that, from the
-.IR kemalgspec .
-.PP
-The key-encapsulation mechanism is chosen according to the setting of
-.I kem
-as follows. Run
-.B catcrypt show kem
-for a list of supported KEMs.
-.TP
-.B rsa
-This is Shoup's RSA-KEM (formerly Simple RSA); see
-.I
-A proposal for an ISO standard for public key encryption (version 2.0)
-available at
-.BR http://eprint.iacr.org/2000/060/ .
-Use the
-.B rsa
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.TP
-.B dh
-This is standard Diffie-Hellman key exchange, hashing the resulting
-shared secret to form the key, as used in, e.g., DLIES (P1363a).
-Use the
-.B dh
-algorithm of the
-.B key add
-command, preferably with the
-.B \-LS
-options, to generate the key.
-.TP
-.B ec
-This is the elliptic-curve analogue of
-.BR dh .
-Use the
-.B ec
-algorithm of the
-.BR key (1))
-command to generate the key.
-.TP
-.B symm
-This is a simple symmetric encapsulation scheme. It works by hashing a
-binary key with a randomly-generated salt. Use the
-.B binary
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.PP
-As well as the KEM itself, a number of supporting algorithms are used.
-These are taken from appropriately named attributes on the key or,
-failing that, derived from other attributes as described below.
-.TP
-.B cipher
-This is the symmetric encryption algorithm used for bulk data
-encryption. If there is no
-.B cipher
-attribute then the
-.I cipher
-in the
-.I kemalgspec
-is used; if that it absent, then the default of
-.B blowfish-cbc
-is used. Run
-.B catcrypt show cipher
-for a list of supported symmetric encryption algorithms.
-.TP
-.B hash
-This is the hash function used to distil entropy from the shared secret
-constructed by the raw KEM. If there is no
-.B hash
-attribute then the
-.I hash
-in the
-.I kemalgspec
-is used; if that is absent then the default of
-.B rmd160
-is used. Run
-.B catcrypt show hash
-for a list of supported symmetric encryption algorithms.
-.TP
-.B mac
-This is the message authentication algorithm used during bulk data
-encryption to ensure integrity of the encrypted message and defend
-against chosen-ciphertext attacks. If there is no
-.B mac
-attribute then
-.IB hash -hmac
-is chosen as a default. Run
-.B catcrypt show mac
-for a list of supported message authentication algorithms.
-.TP
-.B kdf
-This is the key derivation function used to stretch the hashed shared
-secret to a sufficient length to select symmetric encryption and
-authentication keys, initialization vectors and other necessary
-pseudorandom quantities. If there is no
-.B kdf
-attribute then
-.IB hash -mgf
-is chosen as a default. Run
-.B catcrypt show kdf
-for a list of supported key derivation functions.
-.B Caution!
-Not all supported functions have the required security features: don't
-override the default choice unless you know what you're doing.
-.SS "Signing keys"
-A
-.I sigalgspec
-has the form
-.IR sig \c
-.RB [ / \c
-.IR hash ].
-If a
-.B sig
-attribute is present on the key, then it must have this form; otherwise,
-the key's type must have the form
-.BI ccsig- \c
-.IR sigalgspec .
-Algorithm selections are taken from appropriately-named attributes, or,
-failing that, from the
-.IR sigalgspec .
-.PP
-The signature algorithm is chosen according to the setting of
-.I sig
-as follows. Run
-.B catcrypt show sig
-for a list of supported signature algorithms.
-.TP
-.B rsapkcs1
-This is almost the same as the RSASSA-PKCS1-v1_5 algorithm described in
-RFC3447; the difference is that the hash is left bare rather than being
-wrapped in a DER-encoded
-.B DigestInfo
-structure. This doesn't affect security since the key can only be used
-with the one hash function anyway, and dropping the DER wrapping permits
-rapid adoption of new hash functions. Regardless, use of this algorithm
-is not recommended, since the padding method has been shown vulnerable
-to attack. Use the
-.B rsa
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.TP
-.B rsapss
-This is the RSASSA-PSS algorithm described in RFC3447. It is the
-preferred RSA-based signature scheme. Use the
-.B rsa
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.TP
-.B dsa
-This is the DSA algorithm described in FIPS180-1 and FIPS180-2. Use the
-.B dsa
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.TP
-.B ecdsa
-This is the ECDSA algorithm described in ANSI X9.62 and FIPS180-2. Use
-the
-.B ec
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.TP
-.B kcdsa
-This is the revised KCDSA (Korean Certificate-based Digital Signature
-Algorithm) described in
-.I The Revised Version of KCDSA
-.RB ( http://dasan.sejong.ac.kr/~chlim/pub/kcdsa1.ps ).
-Use the
-.B dh
-algorithm of the
-.B key add
-command with the
-.B \-LS
-options (see
-.BR key (1))
-to generate the key.
-.TP
-.B eckcdsa
-This is an unofficial elliptic-curve analogue of the KCDSA algorithm.
-Use the
-.B ec
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.TP
-.B mac
-This uses a symmetric message-authentication algorithm rather than a
-digital signature. The precise message-authentication scheme used is
-determined by the
-.B mac
-attribute on the key, which defaults to
-.IB hash -hmac
-if unspecified. Use the
-.B binary
-algorithm of the
-.B key add
-command (see
-.BR key (1))
-to generate the key.
-.PP
-As well as the signature algorithm itself, a hash function is used.
-This is taken from the
-.B hash
-attribute on the key, or, failing that, from the
-.I hash
-specified in the
-.IR sigalgspec ,
-or, if that is absent, determined by the signature algorithm as follows.
-.hP \*o
-For
-.BR rsapkcs1 ,
-.BR rsapss ,
-.BR dsa ,
-and
-.BR ecdsa ,
-the default hash function is
-.BR sha .
-.hP \*o
-For
-.BR kcdsa
-and
-.BR eckcdsa ,
-the default hash function is
-.BR has160 .
-.PP
-Run
-.B catcrypt show hash
-for a list of supported hash functions.
-.SH "ENCODINGS"
-Two encodings for the ciphertext are supported.
-.TP
-.B binary
-The raw format, which has the benefit of being smaller, but needs to be
-attached to mail messages and generally handled with care.
-.TP
-.B pem
-PEM-encapsulated Base-64 encoded text. This format can be included
-directly in email and picked out again automatically; but there is a
-4-to-3 data expansion as a result.
-.SH "COMMAND REFERENCE"
-.SS help
-The
-.B help
-command behaves exactly as the
-.B \-\-help
-option. With no arguments, it shows an overview of
-.BR catcrypt 's
-options; with arguments, it describes the named subcommands.
-.SS show
-The
-.B show
-command prints various lists of tokens understood by
-.BR catcrypt .
-With no arguments, it prints all of the lists; with arguments, it prints
-just the named lists, in order. The recognized lists can be enumerated
-using the
-.VS
-catcrypt show list
-.VE
-command. The lists are as follows.
-.TP
-.B list
-The lists which can be enumerated by the
-.B show
-command.
-.TP
-.B kem
-The key-encapsulation algorithms which can be used in a
-key-encapsulation key's
-.B kem
-attribute.
-.TP
-.B cipher
-The symmetric encryption algorithms which can be used in a
-key-encapsulation key's
-.B cipher
-attribute.
-.TP
-.B mac
-The message authentication algorithms which can be used in a
-key-encapsulation key's
-.B mac
-attribute.
-.TP
-.B sig
-The signature algorithms which can be used in a signing key's
-.B sig
-attribute.
-.TP
-.B hash
-The hash functions which can be used in a key's
-.B hash
-attribute.
-.TP
-.B enc
-The encodings which can be applied to encrypted messages; see
-.B ENCODINGS
-above.
-.SS encrypt
-The
-.B encrypt
-command encrypts a file and writes out the appropriately-encoded
-ciphertext. By default, it reads from standard input and writes to
-standard output. If a filename argument is given, this file is read
-instead (as binary data).
-.PP
-The following options are recognized.
-.TP
-.B "\-a, \-\-armour"
-Produce ASCII-armoured output. This is equivalent to specifying
-.BR "\-f pem" .
-The variant spelling
-.B "\-\-armor"
-is also accepted.
-.TP
-.BI "\-f, \-\-format " format
-Produce output encoded according to
-.IR format .
-.TP
-.BI "\-k, \-\-key " tag
-Use the key-encapsulation key named
-.I tag
-in the current keyring; the default key is
-.BR ccrypt .
-.TP
-.BI "\-p, \-\-progress"
-Write a progress meter to standard error while processing large files.
-.TP
-.BI "\-s, \-\-sign-key " tag
-Use the signature key named
-.I tag
-in the current keyring; the default is not to sign the ciphertext.
-.TP
-.BI "\-o, \-\-ouptut " file
-Write output to
-.I file
-rather than to standard output.
-.TP
-.B "\-C, \-\-nocheck"
-Don't check the public key for validity. This makes encryption go much
-faster, but at the risk of using a duff key.
-.SS decrypt
-The
-.B decrypt
-command decrypts a ciphertext and writes out the plaintext. By default,
-it reads from standard input and writes to standard output. If a
-filename argument is given, this file is read instead.
-.PP
-The following options are recognized.
-.TP
-.B "\-a, \-\-armour"
-Read ASCII-armoured input. This is equivalent to specifying
-.BR "\-f pem" .
-The variant spelling
-.B "\-\-armor"
-is also accepted.
-.TP
-.B "\-b, \-\-buffer"
-Buffer plaintext data until we're sure we've got it all. This is forced
-on if output is to stdout, but is always available as an option.
-.TP
-.BI "\-f, \-\-format " format
-Read input encoded according to
-.IR format .
-.TP
-.BI "\-p, \-\-progress"
-Write a progress meter to standard error while processing large files.
-.TP
-.B "\-v, \-\-verbose"
-Produce more verbose messages. See below for the messages produced
-during decryption. The default verbosity level is 1. (Currently this
-is the most verbose setting. This might not be the case always.)
-.TP
-.B "\-q, \-\-quiet"
-Produce fewer messages.
-.TP
-.BI "\-o, \-\-output " file
-Write output to
-.I file
-instead of to standard output. The file is written in binary mode.
-Fixing line-end conventions is your problem; there are lots of good
-tools for dealing with it.
-.TP
-.B "\-C, \-\-nocheck"
-Don't check the private key for validity. This makes decryption go much
-faster, but at the risk of using a duff key, and possibly leaking
-information about the private key.
-.PP
-Output is written to standard output in a machine-readable format.
-Major problems cause the program to write a diagnostic to standard error
-and exit nonzero as usual. The quantity of output varies depending on
-the verbosity level and whether the plaintext is also being written to
-standard output. Output lines begin with a keyword:
-.TP
-.BI "FAIL " reason
-An error prevented decryption. The program will exit nonzero.
-.TP
-.BI "WARN " reason
-.B catcrypt
-encountered a situation which may or may not invalidate the decryption.
-.TP
-.BI "OK " message
-Decryption was successful. This is only produced if main output is
-being sent somewhere other than standard output.
-.TP
-.B "DATA"
-The plaintext follows, starting just after the next newline character or
-sequence. This is only produced if main output is also being sent to
-standard output.
-.TP
-.BI "INFO " note
-Any other information.
-.PP
-The information written at the various verbosity levels is as follows.
-.hP 0.
-No output. Watch the exit status.
-.hP 1.
-All messages.
-.PP
-.B Warning!
-All output written has been checked for authenticity. However, output
-can fail madway through for many reasons, and the resulting message may
-therefore be truncated. Don't rely on the output being complete until
-.B OK
-is printed or
-.B catcrypt decrypt
-exits successfully.
-.SS "encode"
-The
-.B encode
-command encodes an input file according to one of the encodings
-described above in
-.BR ENCODINGS .
-The input is read from the
-.I file
-given on the command line, or from standard input if none is specified.
-Options provided are:
-.TP
-.BI "\-p, \-\-progress"
-Write a progress meter to standard error while processing large files.
-.TP
-.BI "\-f, \-\-format " format
-Produce output in
-.IR format .
-Run
-.B catcrypt show enc
-for a list of encoding formats.
-.TP
-.BI "\-b, \-\-boundary " label
-Set the PEM boundary string to
-.IR label ;
-i.e., assuming we're encoding in PEM format, the output will have
-.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
-at the top and
-.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
-at the bottom. The default
-.I label
-is
-.BR MESSAGE .
-.TP
-.BI "\-o, \-\-output " file
-Write output to
-.I file
-instead of to standard output.
-.SS "decode"
-The
-.B decode
-command decodes an input file encoded according to one of the encodings
-described above in
-.BR ENCODINGS .
-The input is read from the
-.I file
-given on the command line, or from standard input if none is specified.
-Options provided are:
-.TP
-.BI "\-f, \-\-format " format
-Decode input in
-.IR format .
-Run
-.B catcrypt show enc
-for a list of encoding formats.
-.TP
-.BI "\-b, \-\-boundary " label
-Set the PEM boundary string to
-.IR label ;
-i.e., assuming we're encoding in PEM format, start processing input
-between
-.BI "\-\-\-\-\-BEGIN " label "\-\-\-\-\-"
-and
-.BI "\-\-\-\-\-END " label "\-\-\-\-\-"
-lines. Without this option,
-.B catcrypt
-will start reading at the first plausible boundary string, and continue
-processing until it reaches the matching end boundary.
-.TP
-.BI "\-p, \-\-progress"
-Write a progress meter to standard error while processing large files.
-.TP
-.BI "\-o, \-\-output " file
-Write output to
-.I file
-instead of to standard output.
-.SH "SECURITY PROPERTIES"
-Assuming the security of the underlying primitive algorithms, the
-following security properties of the ciphertext hold.
-.hP \*o
-An adversary given the public key-encapsulation key and capable of
-requesting encryption of arbitrary plaintexts of his own devising is
-unable to decide whether he is given ciphertexts corresponding to his
-chosen plaintexts or random plaintexts of the same length. This holds
-even if the adversary is permitted to request decryption of any
-ciphertext other than one produced as a result of an encryption request.
-This property is called
-.BR IND-CCA2 .
-.hP \*o
-An adversary given the public key-encapsulation and verification keys,
-and capable of requesting encryption of arbitrary plaintext of his own
-devising is unable to produce a new ciphertext which will be accepted as
-genuine. This property is called
-.BR INT-CTXT .
-.hP \*o
-An adversary given the public key-encapsulation and verification keys,
-and capable of requesting encryption of arbitrary plaintext of his own
-devising is unable to decide whether the ciphertexts he is given are
-correctly signed. This property doesn't seem to have a name.
-.PP
-Not all is rosy. If you leak intermediate values during decryption then
-an adversary can construct a new correctly-signed message. Don't do
-that, then \(en leaking intermediate values often voids security
-warranties. But it does avoid the usual problem with separate signing
-and encryption that a careful leak by the recipient can produce evidence
-that you signed some incriminating message.
-.PP
-Note that
-.BR catcrypt 's
-signatures do
-.I not
-provide `non-repudiation' in any useful way. This is deliberate: the
-purpose of signing is to convince the recipient of the sender's
-identity, rather than to allow the recipient to persuade anyone else.
-Indeed, given an encrypted and signed message, the recipient can
-straightforwardly construct a new message, apparently from the same
-sender, and whose signature still verifies, but with arbitrarily chosen
-content.
-.SH "CRYPTOGRAPHIC THEORY"
-Encryption of a message proceeds as follows.
-.hP 0.
-Emit a header packet containing the key-ids for the key-encapsulation
-key, and signature key if any.
-.hP 1.
-Use the KEM to produce a public value and a shared secret the recipient
-will be able to extract from the public value using his private key.
-Emit a packet containing the public value.
-.hP 2.
-Hash the shared secret. Use the KDF to produce a pseudorandom keystream
-of indefinite length.
-.hP 3.
-Use the first bits of the keystream to key a symmetric encryption
-scheme; use the next bits to key a message authentication code.
-.hP 4.
-If we're signing the message then extract 1024 bytes from the keystream,
-sign the header and public value, and the keystream bytes; emit a packet
-containing the signature. The signature packet doesn't contain the
-signed message, just the signature.
-.hP 5.
-Split the message into blocks. For each block, pick a random IV from
-the keystream, encrypt the block and emit a packet containing the
-IV, ciphertext, and a MAC tag over the ciphertext and a sequence number.
-.hP 6.
-The last chunk is the encryption of an empty plaintext block. No
-previous plaintext block is empty. This lets us determine the
-difference between a complete file and one that's been maliciously
-truncated.
-.PP
-That's it. Nothing terribly controversial, really.
-.SH "SEE ALSO"
-.BR key (1),
-.BR catsign (1),
-.BR dsig (1),
-.BR hashsum (1),
-.BR keyring (5).
-.SH AUTHOR
-Mark Wooding, <mdw@distorted.org.uk>
projects / u / mdw / catacomb / blobdiff