CAST-256 Strong Encryption Plugin for Back Orifice 2000 Copyright (C) 1999, Daniel Roethlisberger Version 2.4, August 3rd, 1999 ------[ Description ] This is a plugin for the remote administration suite Back Orifice 2000 (BO2K) from the one and only, the Cult of the Dead Cow (cDc). Released at DEFCON 7, BO2K was subject to massive hype even weeks before the actual release of it. This plugin adds CAST6-256 encryption capability to your BO2K, with or without CBC-Mode. The strongest available encryption for BO2K. As simple as that. Isn't that great? ------[ Security Considerations ] CAST-256 offers the strongest encryption power known to Back Orifice 2000. CAST-256 uses user keys of 256 bits length (Comparison: TripleDES 168 bits, IDEA 128 bits). There are no known attacks against the algorithm. The plugin implements both ECB and CBC modes for either improved security (CBC) or more transport flexibility (ECB). The canadian algorithm CAST-256 is one of the candidates for the Advanced Encryption Standard AES, which will be the successor of the Data Encryption Standard (DES). I tested my CAST-256 implementation against the test vectors defined in RFC 2612 to ensure its validity, and I used the official MD5 reference implementation from RSA. To sum it up: I would call CAST-256 absolutely secure at present and near future technology level. ------[ What's New? ] v2.4, August 3rd 1999 Using MD5 for determining initialization vector and abusing the initialization vector to XOR the data blocks in ECB mode. Improved security. v2.3, August 1st 1999 Password bug has been fixed. Cos I used Maw~'s faulty MD5 module, the password did not matter at all, dangerously. You should have me shot for being so stupid. I'm using the official implementation from RSA now. v2.2, July 30th 1999 Fixed eternally stupid bug disabling CBC-Mode. Updated old label returned by query. Silly me. v2.1, July 29th 1999 Support for passwords up to 256 chars long. Some bug fixes in MD5 module by Maw~ as well. v2.0, July 28th 1999 Did a complete implementation of CAST-256 from scratch (RFC) in place of CAST-128. First release. Great success. Scored 5 stars at bo2k.com, had hundreds of downloads in the first 24 hours. v1.1, July 26th 1999 Added CBC-Mode. Some bug fixes as well. v1.0, July 25th 1999 Used Norwegian implementation of CAST-128. Worked fine. I never released this version. ------[ Usage / Installation ] Add the plugin to both the client and the server, be sure to configure matching key strings and check the CBC setting. You should now be able to select CAST from any encryption drop-down menu, and you can specify CAST in any Encryption setting. Please be sure to use CAST both in the client and the server, otherwise it wont work (surprise, surprise). If you can't figure out how to add plugins I suggest you go to your local software store and acquire a copy of PC Anywhere [tm], so you wont have to coap with the tremendous difficult task of adding a plugin :-P ------[ ECB vs. CBC Mode ] Many commonly used ciphers (e.g., IDEA, DES, Blowfish) are block ciphers. This means that they take a fixed-size block of data (usually 64 bits), and transform it to another 64 bit block using a function selected by the key. The cipher basically defines a one-to-one mapping from 64-bit integers to another permutation of 64-bit integers. CAST-256 uses blocks of 128 bits. If the same block is encrypted twice with the same key, the resulting ciphertext blocks are the same (this method of encryption is called Electronic Code Book mode, or ECB). This information could be useful for an attacker. In practical applications, it is desirable to make identical plaintext blocks encrypt to different ciphertext blocks. The Cypher Block Chaining (CBC) Mode does exactly that: a ciphertext block is obtained by first XORing the plaintext block with the previous ciphertext block, and encrypting the resulting value. Thus the complete cypher stream is needed in order to decode. Any missing or displaced blocks and there's no chance of decoding it anymore. So if you are using unreliable means of transport, such as UDPIO, you should turn CBC Mode off. ------[ Algorithm ] The CAST-128 cipher is described in "Constructing Symmetric Ciphers Using the CAST Design Procedure" by Carlisle Adams and in RFC 2144 "The CAST-128 Encryption Algorithm" also by Carlisle Adams. RFC 2612 "The CAST-256 Encryption Algorithm" offers an extension of the algorithm to keysizes up to 256 and blocksize of 128 bits. The CAST encryption algorithm is a DES-like Substitution- Permutation Network (SPN) cryptosystem which appears to have good resistance to differential cryptanalysis, linear crypt- analysis, and related-key cryptanalysis. This cipher also possesses a number of other desirable cryptographic properties, including avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no complementation property, and an absence of weak and semi-weak keys. It thus appears to be a good candidate for general-purpose use throughout the Internet community wherever a cryptographically-strong, freely-available encryption algorithm is required. CAST-256 is a 12-round Feistel cipher that has a blocksize of 128 bits and a keysize of up to 256 bits; it uses rotation to provide intrinsic immunity to linear and differential attacks; it uses a mixture of XOR, addition and subtraction (modulo 2**32) in the round function; and it uses three variations of the round function itself throughout the cipher. Finally, the 8x32 s-boxes used in the round function each have a minimum nonlinearity of 74 and a maximum entry of 2 in the difference distribution table. This cipher appears to have cryptographic strength in accordance with its keysize (256 bits) and has very good encryption / decryption performance. The 256 bit user key used by the CAST engine is constructed by UserKey = MD5(string1 + pwstring) + MD5(pwstring + string2); The Initialization Vector used by CBC/ECB modes is derived by InitVect = MD5(string3 + pwstring + string4); Whereby "+" denotes a concatenation. ------[ Legal Crap ] Entrust Technologies / Nortel, under whose aegis the CAST algorithm was developed, have allowed free use of the algorithm for any purpose. RFC 2144, in which CAST-128 is described, states in paragraph 3: "3. Intellectual Property Considerations: The CAST-128 cipher described in this document is available worldwide on a royalty-free basis for commercial and non- commercial uses." RFC 2612, in which CAST-256 is described, states in paragraph 4: "4. Cipher Usage: The CAST-256 cipher described in this document is available worldwide on a royalty-free and licence-free basis for commercial and non-commercial uses." As this implementation was programmed using the RFC documents as guide and thus does not contain any code which was exported from the U.S., this plugin constitutes no violation of the U.S. ITAR export regulations. I am a citicen of Switzerland, and my web server is located in Germany, so neither got anything to do with the US. But let's wait for Wassenaar - could change things a little to the worse :( ------[ License ] This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA If you do redistribute or modify it, please let me know. ------[ Thanx To ] DilDog for answering my mails and for making BO2K possible the rest at cDc for being the rest at cDc Maw~ for fixing the MD5 module very fast Graeme and the rest of the the crowd at alt.fan.cult-dead-cow for making information exchange possible Bernstein and the EFF for having won a first law suit against the administration concerning the export regulations of crypto source code ------[ Contact ] Daniel Roethlisberger E-Mail: Web: http://www.roe.ch/download/bo_cast.shtml ICQ: 4646931 Get my PGP-Key with ID 0x8DE543ED at ldap://certserver.pgp.com. Visit the official BO2K site at http://www.bo2k.com. ------[ Over and Out ] <>