TclDES is a pure-Tcl implementation of the NIST Data Encryption Standard (DES). The package can perform encryption and decryption using either the standard DES algorithm or the triple-DES (3DES) algorithm. All four DES modes are supported: Electronic Code Block (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB), and Output Feedback (OFB). TclDES is a port of a Javascript implementation of DES/3DES (ECB and CBC modes) by Paul Tero, of Shoppable in the United Kingdom, with optimizations by Michael Hayworth.
TclDES and TclDESjr are now part of tcllib!
Tcllib is the standardized Tcl library. TclDES and TclDESjr
were adopted into tcllib 1.8 to provide a feature-complete
implementation of DES and 3DES, replacing the DES-ECB implementation
written by Jochen C Loewer. In the process of adopting TclDES and TclDESjr
into tcllib, Pat Thoyts created a new programming interface
that is consistent with other tcllib packages. This interface
is described in the tcllib
des documentation.
Note that the programming interface provided by TclDES 0.8 and TclDESjr 0.8
has been maintained for backward compatibility. TclDES is now in maintenance
mode under the asupices of the tcllib development team and
myself (if they need help).
The TclDES 0.8 distribution contains the document A Guide To TclDES. This document provides an overview of the DES and 3DES algorithms, the various modes of operation for DES/3DES, and installation and usage instructions for the TclDES library. Note that the code examples in the document use the TclDES 0.8 and TclDESjr 0.8 programming interface.
Under the International Traffic in Arms Regulations (ITARs), encryption software and hardware are considered munitions along with guns, tanks, nuclear, biological, and chemical weapons. Encryption can potentially be used by adversaries to conceal their communications from the United States government. As a result, export of encryption software and hardware requires licensing and approval by the U.S. government.
Fortunately, export restrictions have been eased significantly in recent years. This is due to several reasons. For one, the large amount of commerce now occuring on the Internet requires that encryption be widely available. With commerce equating to money, there is a strong desire by the U.S. government for American companies to remain competitive. Another reason is that it has become virtually impossible to control the flow of cryptographic software into and out of the United States. Many books on encryption, containing source code, are readily available. Ironically, these books have no restrictions on export due to the 1st Ammendment of the U.S. Constitution. Also, the availablility of many encryption packages (such as OpenSSL and PGP) make the entire effort of controlling encryption export rather moot.
This source code is being made publicly available and has been registered with the U.S. Dept. of Commerce Bureau of Industry and Security (BIS) under export license exception TSU (Technology and Software Unrestricted) for export out of the United States. To qualify for this exception, the sources to TclDES must be made available with minimial or no cost. To satisfy this requirement, the TclDES sources are licensed under the same Open Source license as Tcl (BSD). Details can be found in the TclDES source code.
While license exception TSU allows for the export of TclDES out of the United States, the import of the strong encryption (3DES) contained within TclDES into other countries could be an issue. The BIS Export Administration Regulations (EARs) and the Wassenaar Arrangement allow for the unrestricted export (no licensing required) of symmetric key encryption with key lengths of 56 or fewer bits. The Wassenaar Arrangement is signed by 33 founding countries, which includes most of the major industrialized nations. To satisfy this restriction and make a pure-Tcl implementation of DES as widely available as possible, I have created a version of the source code with the 3DES capabilities stripped out. This version is called TclDESjr.
The source code of TclDES and TclDESjr is platform independent, though current development is on a Slackware Linux 9.1 system with Tcl/Tk 8.4.6. Documentation is in the form of man pages (tcldes.n and tcldesjr.n, respectively). The man pages, formated into HTML, for TclDES and TclDESjr are available on this website. The man pages are included in the TclDES and TclDESjr distributions.
Both TclDES and TclDESjr ECB and CBC modes have been tested against the OpenSSL DES library functions. The code in TclDES and the OpenSSL DES library have common roots in the SSLeay library DES functions developed by Eric A. Young. A Tcl binding to the appropriate DES C functions was created using the SWIG tool, version 1.1 (build 883) The binding has been compiled and executed only within the Linux environment described above. Note: This binding can potentially be a useful Tcl extension library in its own right if a faster DES implementation is needed.
The OFB and CFB modes use the same core DES engine as the ECB and CBC modes. The difference is that in OFB and CFB modes, the message byte stream is converted to a bit stream and reformated into k-bit data units prior to mixing with k bits of the cypto pattern generated by the DES engine. Afterwards, the k-bit data unit is appended to another bit stream and then converted back to bytes for output. The testing performed is actually aimed at assuring that the sequence of byte stream unpacking, mixing, and repacking works correctly for both encryption and decryption. This is accomplished merely by encrypting the plain text message, immediately followed by decrypting the cypher text, and comparing the result to the original message. Comparison to the OpenSSL implementation is not feasible because of bugs in their implementation and the fact that they use unpack data streams. For example, with the OpenSSL version, with a 12-bit data unit size, each 12 bits must reside in their own two bytes, with zero bits for the unused four bits. The OpenSSL des_ofb64_encrypt and des_cfb64_encrypt functions do not have the unpacked data problem, but then, the TclDES bit reformatting software isn't really exercised in this case either.
Test scripts, employing Monte Carlo analysis, have been written to exercise TclDES and TclDESjr against the OpenSSL DES functions. No discrepencies have yet to be found between the results generated by TclDES, TclDESjr, and the OpenSSL DES functions. Still, much more testing needs to be performed before a statistically meaningful subset of the encryption key and message spaces will have been sampled. The SWIG wrapper file and testing scripts are available only through the TclDES CVS archive.
TclDES 0.8 and TclDESjr 0.8 are available as either gzipped tar archives for
GNU/Linux (and other Un*xes) or pkzip archives for Microsoft Windows. All can
be obtained at the
TclDES SourceForge Files page.
Earler versions of TclDES and TclDESjr can also be found at the
TclDES SourceForge
Files page.
tcllib
SourceForge Home page.© 2004, 2005 Mac A. Cody
Last updated Thursday, December 22, 2005