Table of Contents

Name

mcrypt, mdecrypt - encrypt or decrypt files

Synopsis

mcrypt [ -dLFubhvrzp ] [-a algorithm] [-c config_file] [-m mode] [-s keysize] [-o keymode] [-k key1 key2 ...] [-f keyfile] [ filename ... ]

mdecrypt [ -LFusbhvzp ] [-a algorithm] [-c config_file] [-m mode] [-s keysize] [-o keymode] [-k key1 key2 ...] [-f keyfile] [ filename ... ]

Description

Mcrypt is a simple crypting program, a replacement for the old unix crypt(1) . When encrypting or decrypting a file, a new file is created with the extension .nc and mode 0600. The new file keeps the modification date of the original. The original file may be deleted by specifying the -u parameter. If no files are specified, the standard input is encrypted to the standard output.

Mcrypt uses the following symmetric (block) algorithms:

DES: The traditional DES algorithm designed by IBM and US NSA. Uses 56 bit key and 64 bit block. It is now considered a weak algorithm, due to its small key size (it was never intended for use with classified data).

3DES or Triple DES: DES but with multiple (triple) encryption. It encrypts the plaintext once, then decrypts it with the second key, and encrypts it again with the third key (outer cbc mode used for cbc). Those three keys(56bit each) are expanded from one given key. Much better than traditional DES since the key is now 168 bits (actually the effective key length is 112 bits due to the meet-in-the-middle attack).

CAST-128: CAST was designed in Canada by Carlisle Adams and Stafford Tavares. The original algorithm used a 64bit key and block. The algorithm here is CAST-128 (also called CAST5) which has a 128bit key and 64bit block size.

CAST-256: CAST-256 was designed by Carlisle Adams. It is a symmetric cipher designed in accordance with the CAST design procedure. It is an extention of the CAST-128, having a 128 bit block size, and up to 256 bit key size.

xTEA: TEA stands for the Tiny Encryption Algorithm. It is a feistel cipher designed by David Wheeler & Roger M. Needham. The original TEA was intended for use in applications where code size is at a premium, or where it is necessary for someone to remember the algorithm and code it on an arbitrary machine at a later time. The algorithm used here is extended TEA and has a 128bit key size and 64bit block size.

3-WAY: The 3way algorithm designed by Joan Daemen. It uses key and block size of 96 bits.

SKIPJACK: SKIPJACK was designed by the US NSA. It was part of the ill-fated "Clipper" Escrowed Encryption Standard (EES) (FIPS 185) proposal. It operates on 64bit blocks and uses a key of 80 bits. SKIPJACK is provided only as an extra module to libmcrypt.

BLOWFISH: The Blowfish algorithm designed by Bruce Schneier. It is better and faster than DES. It can use a key up to 448 bits.

TWOFISH: Twofish was designed by Bruce Schneier, Doug Whiting, John Kelsey, Chris Hall, David Wagner for Counterpane systems. Intended to be highly secure and highly flexible. It uses a 128bit block size and 128,192,256 bit key size. (Twofish is the default algorithm)

LOKI97: LOKI97 was designed by Lawrie Brown and Josef Pieprzyk. It has a 128-bit block length and a 256bit key schedule, which can be initialized using 128, 192 or 256 bit keys. It has evolved from the earlier LOKI89 and LOKI91 64-bit block ciphers, with a strenghtened key schedule and a larger keyspace.

RC2: RC2 (RC stands for Rivest Cipher) was designed by Ron Rivest. It uses block size of 64 bit and a key size from 8 to 1024 bits. It is optimized for 16bit microprocessors (reflecting its age). It is described in the RFC2268.

RC4: RC4 was designed by Ron Rivest. For several years this algorithm was considered a trade secret and details were not available. In September 1994 someone posted the source code in the cypherpunks mailing list. Although the source code is now available RC4 is trademarked by RSADSI so this algorithm is not included in the mcrypt distribution. A compatible cipher named ARCFOUR is included in the mcrypt distribution. It is a stream cipher and has a maximum key of 2048 bits.

RC6: RC6 was designed by Ron Rivest for RSA labs. In mcrypt it uses block size of 128 bit and a key size of 128/192/256 bits. Refer to RSA Labs and Ron Rivest for any copyright, patent or license issues for the RC6 algorithm. RC6 is provided only as an extra module to libmcrypt.

RIJNDAEL: Rijndael is a block cipher, designed by Joan Daemen and Vincent Rijmen as a candidate algorithm for the AES. The cipher has a variable block length and key length. Rijndael can be implemented very efficiently on a wide range of processors and in hardware. The design of Rijndael was strongly influenced by the design of the block cipher Square. There exist three versions of this algorithm, namely: RIJNDAEL-128 , RIJNDAEL-192 , RIJNDAEL-256 The numerals 128, 192 and 256 stand for the length of the block size.

MARS: MARS is a 128-bit block cipher designed by IBM as a candidate for the Advanced Encryption Standard. Refer to IBM for any copyright, patent or license issues for the MARS algorithm. MARS is provided only as an extra module to libmcrypt.

PANAMA: PANAMA is a cryptographic module that can be used both as a cryptographic hash function and as a stream cipher. It designed by Joan Daemen and Craig Clapp. PANAMA (the stream cipher) is provided only as an extra module to libmcrypt.

WAKE: WAKE is an encryption system for medium speed encryption of blocks and of high security. WAKE was designed by David J. Wheeler. It is intended to be fast on most computers and relies on repeated table use and having a large state spece.

SERPENT: Serpent is a 128-bit block cipher designed by Ross Anderson, Eli Biham and Lars Knudsen as a candidate for the Advanced Encryption Standard. Serpent's design was limited to well understood mechanisms, so that could rely on the wide experience of block cipher cryptanalysis, and achieve the highest practical level of assurance that no shortcut attack will be found. Serpent has twice as many rounds as are necessary, to block all currently known shortcut attacks. Despite these exacting design constraints, Serpent is faster than DES.

IDEA: IDEA stands for International Data Encryption Algorithm and was designed by Xuejia Lai and James Massey. It operates on 64bit blocks and uses a key of 128 bits. Refer to Ascom-Tech AG for any copyright, patent or license issues for the IDEA algorithm. IDEA is provided only as an extra module to libmcrypt.

UNIX crypt: A one-rotor machine designed along the lines of Enigma but considerable trivialized. Very easy to break for a skilled cryptanalist. I suggest against using it. Added just for completeness.

GOST: A former soviet union's algorithm. An acronym for "Gosudarstvennyi Standard" or Government Standard. It uses a 256 bit key and a 64 bit block. The S-boxes used here are described in the Applied Cryptography book
by Bruce Schneier. They were used in an application for the Central Bank of the Russian Federation. Some quotes from gost.c:
The standard is written by A. Zabotin (project leader), G.P. Glazkov, and V.B. Isaeva. It was accepted and introduced into use by the action of the State Standards Committee of the USSR on 2 June 1989 as No. 1409. It was to be reviewed in 1993, but whether anyone wishes to take on this obligation from the USSR is questionable. This code is based on the 25 November 1993 draft translation
by Aleksandr Malchik, with Whitfield Diffie, of the Government Standard of the U.S.S.R. GOST 28149-89, "Cryptographic Transformation Algorithm", effective 1 July 1990. (Whitfield.Diffie@eng.sun.com) Some details have been cleared up by the paper "Soviet Encryption Algorithm" by Josef Pieprzyk and Leonid Tombak of the University of Wollongong, New South Wales. (josef/leo@cs.adfa.oz.au)

SAFER: SAFER (Secure And Fast Encryption Routine) is a block cipher developed by Prof. J.L. Massey at the Swiss Federal Institute of Technology. There exist four versions of this algorithm, namely: SAFER K-64 , SAFER K-128 , SAFER SK-64 and SAFER SK-128. The numerals 64 and 128 stand for the length of the user-selected key, 'K' stands for the original key schedule and 'SK' stands for the strengthened key schedule (in which some of the "weaknesses" of the original key schedule have been removed). In mcrypt only SAFER SK-64 and SAFER SK-128 are used.

SAFER+: SAFER+ was designed by Prof. J.L. Massey, Prof. Gurgen H. Khachatrian and Dr. Melsik K. Kuregian for Cylink. SAFER+ is based on the existing SAFER family of ciphers and provides for a block size of 128bits and 128, 192 and 256 bits key length.

Hints

By default, mcrypt , when one of these algorithms is specified, prompts something like: Enter passphrase: ...
You should then enter a passphrase long enough (512 characters is the
maximum length). That passphrase is transformed using the specified (or the default) key generation algorithm, and then is used as the key, which is fed to the algorithm.

Algorithm Vulnerability: Most algorithms today are designed to resist in specific attacks. None of them is proved not to be vulnerable to some kind of attack not as yet known.

Compression: By compressing your data before encryption you gain both in efficiency (faster encryption) and safety of your data (language redundancy is removed). Compression after encryption is useless and may result to compressed files with longer size than the original.

Error Recovery: There is some error recovery in mcrypt. If bytes are removed or lost from the file or stream in ECB, CBC and OFB modes, are impossible to recover, although CFB mode will recover. If some bytes are altered then a full block of plaintext is affected in ECB mode, two blocks in CBC and CFB modes, but only the corresponding byte in OFB mode. Mcrypt uses a 32 bit CRC to check for errors in the encrypted files.

Extra security: For the very paranoid, if mcrypt is executed with superuser priviledges it ensures that no important data (keys etc.) are written to disk, as swap etc. Keep in mind that mcrypt was not designed to be a setuid program, so you shouldn't make it one.

Do not rely on the fact that an algorithm has a large key size, try to use long passphrases and try to make them unpredictable.

All the block algorithms above support these modes of encryption:

ECB: The Electronic CodeBook mode. It is the simplest mode to use with a block cipher. Encrypts each block independently.

CBC: The Cipher Block Chaining mode. It is better than ECB since the plaintext is XOR'ed with the previous ciphertext. A random block is placed as the first block so the same block or messages always encrypt to something different. (This is the default mode)

CFB: The Cipher-Feedback Mode (in 8bit). This is a self-synchronizing stream cipher implemented from a block cipher.

OFB: The Output-Feedback Mode (in 8bit). This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow. Insecure (because used in 8bit mode) so I recommend against using it. Added just for completeness.

nOFB: The Output-Feedback Mode (in nbit). n Is the size of the block of the algorithm. This is a synchronous stream cipher implemented from a block cipher. It is intended for use in noisy lines, because corrupted ciphertext blocks do not corrupt the plaintext blocks that follow.

Encrypted files can be restored to their original form using mcrypt -d or mdecrypt

mdecrypt takes a list of files on its command line and creates a new file for each file whose name ends with .nc by removing the ".nc" or by adding ".dc" to the end of the file name if .nc is not in the encrypted file's name.

Options

-F --force
Force output on standard output or input from stdin if that is a terminal. By default mcrypt will not output encrypted data to terminal, nor read encrypted data from it.
-z --gzip
Use gzip (if it exists in your system) to compress files before encryption. If specified at decryption time it will decompress these files.
-p --bzip2
Use bzip2 (if it exists in your system) to compress files before encryption. If specified at decryption time it will decompress these files.
-d --decrypt
Decrypt.
-h --help
Display a help screen and quit.
-L --license
Display the mcrypt's license and quit.
-o --keymode MODE
MODE may be one of the keymodes listed by the --keymodeslist parameter. It actually is the convertion to the key before it is fed to the algorithm. It is recommended to leave it as is, if you do not know what it is.
-h --hash HASH_ALGORITHM
HASH_ALGORITHM may be one of the algorithms listed by the --hashlist parameter. This is the digest that will be appended to the file to be encrypted, in order to detect file corruption. The default is the CRC32 checksum.
-s --keysize SIZE
SIZE is the algorithm's key size (not the size of the passphrase). It defaults to the maximum key supported by the algorithm. The maximum key sizes of the algorithms may be obtained by the --list parameter. It is safe not to touch this.
-b --bare
No important information like the algorithm, mode, the bit mode and the crc32 of the original file are written in the encrypted file. The security lies on the algorithm not on obscurity so this is NOT the default. This flag must also be specified when decrypting a bare encrypted file. When the bare flag is specified decryption and encryption are faster. This may be usefull when using mcrypt to encrypt a link or something like that.
--flush
Flushes the output (ciphertext or plaintext) immediately. Usefull if mcrypt is used with pipes.
--nodelete
When this option is specified mcrypt does not delete the output file, even if decryption failed. This is usefull if you want to decrypt a corrupted file.
-q --quiet
Suppress some not critical warnings.
-u --unlink
Unlink (delete) the input file if the whole process of encryption/decryption succeeds. This is not the default in order to use an external program to remove sensitive data.
 --list
Lists all the algorithms current supported.
 --keymodeslist
Lists all the key modes current supported.
 --hashlist
Lists all the hash algorithms current supported.
-r --random
Use /dev/(s)random instead of /dev/urandom. This may need some key input or mouse move to proceed. If your system does not support /dev/random or /dev/urandom, it does nothing, and you count on your libc for random data (actually pseudo-random).
-k --key KEY1 KEY2 ...
Enter the keyword(s) via the command line. The KEY(s) is/are then used as keyword instead of prompting for them. Keep in mind that someone may see the command you are executing and so your keyword(s).
-c --config FILE
Use the specified configuration file. The default is .mcryptrc in your home directory. The format of the configuration file is the same as the parameters. An example file is: algorithm safer+
mode cbc
key a_very_secret_one

-f --keyfile FILE
Enter the keyword(s) via a file. One keyword is read per line. The first keyword read is used for the first file, the second for the second file etc. If the keywords are less than the files then the last keyword is used for the remaining. A limitation is that you cannot use the NULL (\0) and the Newline (\n) character in the key. A solution to this problem is to specify the keyword in hex mode.
-m --mode MODE
Mode of encryption and decryption. These modes are currently supported: ECB, CFB, OFB, nOFB, CBC and STREAM. CBC is the default. Unless the bare flag is specified there is no need to specify these modes for decryption. For stream algorithms (like WAKE) mode should be STREAM.
-a --algorithm ALGORITHM
The algorithm used to encrypt and decrypt. Unless the bare flag is specified there is no need to specify these for decryption.

The algorithms currently supported are shown with the --list parameter.

Examples

For mcrypt to be compatible with the solaris des(1) , the following parameters are needed: "mcrypt -a des --keymode pkdes --bare --noiv filename".

For mcrypt to be compatible with the unix crypt(1) , the following parameters are needed: "mcrypt -a crypt --keymode asis --bare filename".

To encrypt a file using a stream algorithm (eg. Arcfour), the following parameters are needed: "mcrypt -a arcfour --mode stream filename".

-v --version Version. Display the version number and quit.

Environment

Mcrypt uses the following environment variables:

MCRYPT_KEY: to specify the key

MCRYPT_ALGO: to specify the algorithm

MCRYPT_MODE: to specify the algorithm's

mode

MCRYPT_KEY_MODE: to specify the key mode

You can use these instead of using the command line (which is insecure), but note that only one key should be used in MCRYPT_KEY.

See Also

crypt(1) , des(1)

Diagnostics

Exit status is normally 0; if an error occurs, exit status is something other than 0.

Usage: mcrypt [-dLFubhvrzp] [-f keyfile] [-k key1 key2 ...] [-m mode] [-o keymode] [-a algorithm] [-c config_file] [filename ...]

Authors

Version 2.5.0 Copyright (C) 1998,1999,2000 Nikos Mavroyanopoulos (nmav@hellug.gr).

Thanks to all the people who reported problems and suggested various improvements for mcrypt; who are too numerous to cite here.

Table of Contents