SourceForge Logo

TclDES: Munitions-grade Tcl scripting!

What is it?

TclDES is a pure-Tcl implementation of the NIST Data Encryption Standard (DES). The package can perform encryption and decryption using either the standard DES algorithm or the triple-DES (3DES) algorithm. All four DES modes are supported: Electronic Code Block (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB). TclDES is a port of a Javascript implementation of DES/3DES (ECB and CBC modes) by Paul Tero, of Shoppable in the United Kingdom, with optimizations by Michael Hayworth.

TclDES and TclDESjr are now part of tcllib! Tcllib is the standardized Tcl library. TclDES and TclDESjr were adopted into tcllib 1.8 to provide a feature-complete implementation of DES and 3DES, replacing the DES-ECB implementation written by Jochen C Loewer. In the process of adopting TclDES and TclDESjr into tcllib, Pat Thoyts created a new programming interface that is consistent with other tcllib packages. This interface is described in the tcllib des documentation. Note that the programming interface provided by TclDES 0.8 and TclDESjr 0.8 has been maintained for backward compatibility. TclDES is now in maintenance mode under the asupices of the tcllib development team and myself (if they need help).

The TclDES 0.8 distribution contains the document A Guide To TclDES. This document provides an overview of the DES and 3DES algorithms, the various modes of operation for DES/3DES, and installation and usage instructions for the TclDES library. Note that the code examples in the document use the TclDES 0.8 and TclDESjr 0.8 programming interface.

Why is TclDES a munition?

Under the International Traffic in Arms Regulations (ITARs), encryption software and hardware are considered munitions along with guns, tanks, nuclear, biological, and chemical weapons. Encryption can potentially be used by adversaries to conceal their communications from the United States government. As a result, export of encryption software and hardware requires licensing and approval by the U.S. government.

Fortunately, export restrictions have been eased significantly in recent years. This is due to several reasons. For one, the large amount of commerce now occuring on the Internet requires that encryption be widely available. With commerce equating to money, there is a strong desire by the U.S. government for American companies to remain competitive. Another reason is that it has become virtually impossible to control the flow of cryptographic software into and out of the United States. Many books on encryption, containing source code, are readily available. Ironically, these books have no restrictions on export due to the 1st Ammendment of the U.S. Constitution. Also, the availablility of many encryption packages (such as OpenSSL and PGP) make the entire effort of controlling encryption export rather moot.

How is TclDES being made available then?

This source code is being made publicly available and has been registered with the U.S. Dept. of Commerce Bureau of Industry and Security (BIS) under export license exception TSU (Technology and Software Unrestricted) for export out of the United States. To qualify for this exception, the sources to TclDES must be made available with minimial or no cost. To satisfy this requirement, the TclDES sources are licensed under the same Open Source license as Tcl (BSD). Details can be found in the TclDES source code.

While license exception TSU allows for the export of TclDES out of the United States, the import of the strong encryption (3DES) contained within TclDES into other countries could be an issue. The BIS Export Administration Regulations (EARs) and the Wassenaar Arrangement allow for the unrestricted export (no licensing required) of symmetric key encryption with key lengths of 56 or fewer bits. The Wassenaar Arrangement is signed by 33 founding countries, which includes most of the major industrialized nations. To satisfy this restriction and make a pure-Tcl implementation of DES as widely available as possible, I have created a version of the source code with the 3DES capabilities stripped out. This version is called TclDESjr.

The source code of TclDES and TclDESjr is platform independent, though current development is on a Slackware Linux 9.1 system with Tcl/Tk 8.4.6. Documentation is in the form of man pages (tcldes.n and tcldesjr.n, respectively). The man pages, formated into HTML, for TclDES and TclDESjr are available on this website. The man pages are included in the TclDES and TclDESjr distributions.

How is TclDES Tested?

Both TclDES and TclDESjr ECB and CBC modes have been tested against the OpenSSL DES library functions. The code in TclDES and the OpenSSL DES library have common roots in the SSLeay library DES functions developed by Eric A. Young. A Tcl binding to the appropriate DES C functions was created using the SWIG tool, version 1.1 (build 883) The binding has been compiled and executed only within the Linux environment described above. Note: This binding can potentially be a useful Tcl extension library in its own right if a faster DES implementation is needed.

The OFB and CFB modes use the same core DES engine as the ECB and CBC modes. The difference is that in OFB and CFB modes, the message byte stream is converted to a bit stream and reformated into k-bit data units prior to mixing with k bits of the cypto pattern generated by the DES engine. Afterwards, the k-bit data unit is appended to another bit stream and then converted back to bytes for output. The testing performed is actually aimed at assuring that the sequence of byte stream unpacking, mixing, and repacking works correctly for both encryption and decryption. This is accomplished merely by encrypting the plain text message, immediately followed by decrypting the cypher text, and comparing the result to the original message. Comparison to the OpenSSL implementation is not feasible because of bugs in their implementation and the fact that they use unpack data streams. For example, with the OpenSSL version, with a 12-bit data unit size, each 12 bits must reside in their own two bytes, with zero bits for the unused four bits. The OpenSSL des_ofb64_encrypt and des_cfb64_encrypt functions do not have the unpacked data problem, but then, the TclDES bit reformatting software isn't really exercised in this case either.

Test scripts, employing Monte Carlo analysis, have been written to exercise TclDES and TclDESjr against the OpenSSL DES functions. No discrepencies have yet to be found between the results generated by TclDES, TclDESjr, and the OpenSSL DES functions. Still, much more testing needs to be performed before a statistically meaningful subset of the encryption key and message spaces will have been sampled. The SWIG wrapper file and testing scripts are available only through the TclDES CVS archive.


TclDES 0.8 and TclDESjr 0.8 are available as either gzipped tar archives for GNU/Linux (and other Un*xes) or pkzip archives for Microsoft Windows. All can be obtained at the TclDES SourceForge Files page.
Earler versions of TclDES and TclDESjr can also be found at the TclDES SourceForge Files page.


Feedback and suggestions for new features for TclDES are invited. Be aware that development is still ongoing. New versions of TclDES and TclDESjr will be made available as time allows. You can send your emails to mcody <at>


Go to the TclDES SourceForge Summary page or browse the TclDES CVS repository.
The tcllib SourceForge Home page.
The original Javascript and Perl DES/3DES implementations can be found here at the Shoppable website.
Links to HTML versions of FIPS PUB 46-2 Data Encryption Standard (DES) and FIPS PUB 81 DES MODES OF OPERATION from NIST.

The website for the U.S. Dept. of Commerce Bureau of Industry and Security and the webpage for Commercial Encryption Export Controls. Information and notification for export license exception TSU can be found here.
The website for The Wassenaar Arrangement On Export Controls for Conventional Arms and Dual-Use Goods and Technologines can be reached here. The specific regulations on encryption devices is documented in Dual-Use List - Catagory 5 - Part 2 - Information Security (PDF).

The ActiveState Tcl Developer Xchange.

2004, 2005 Mac A. Cody

Last updated Thursday, December 22, 2005