BO Cast

CAST-256 Strong Encryption for Back Orifice 2000

«The strongest encryption available for BO2K. Great!»
--- DilDog, author of BO2K, member of cDc and L0phT

«Your CAST-256 plugin is good.»
--- Maw~, author of the IDEA and RC6 plugins

«I'll buy you a beer.»
--- Reid Fleming, member of cDc

Overview

CAST-256 is a plugin for the remote administration suite Back Orifice 2000 (BO2K) from the one and only, the Cult of the Dead Cow (cDc). Released at DEFCON 7, BO2K was subject to massive hype even weeks before the actual release of it.

This plugin adds CAST6-256 encryption in CBC mode capability to your BO2K. It is one of the strongest encryption modules available for BO2K. As simple as that. Isn't that great?

Security Considerations

CAST-256 offers the strongest encryption power known to Back Orifice 2000. CAST-256 uses user keys of 256 bits length (Comparison: TripleDES 168 bits, IDEA 128 bits). There are no known attacks against the algorithm. The plugin implements CBC mode with a random IV for improved security.

The canadian algorithm CAST-256 is one of the round 1 candidates for the NIST Advanced Encryption Standard (AES), which will be the successor of the Data Encryption Standard (DES). I tested my CAST-256 implementation against the test vectors defined in RFC 2612 to ensure its validity.

To sum it up: I would call CAST-256 absolutely secure at present and near future technology level.

What's New?

Users of versions 2.0, 2.1 and 2.2 must update because of serious security flaws.

Version 2.8, September 28th 1999

Bugfix
Optimisation for PPro and better.
Renamed to enc_cast.dll for consistency.

Version 2.7, September 27th 1999

I implemented a whole new and improved hashing system.
Replaced MD5 with Abreast Davies-Meyer, using CAST-256 itself as the hashing function.
The IV is now randomly generated for each packet.
Dumped ECB mode, as it is less secure than CBC and not necessary anyway.
The padding is random now (was all zeros), making the encrypted data unidentifyable as such.
As a result of the changes, the file got 3k smaller.

Version 2.6, August 29th 1999

Changed key hashing procedure to make birthday attacks more difficult, resulting in slower startup but ~500 bytes smaller file as no magic strings are required.

Version 2.5, August 24th 1999

Minor bugs fixed (stupid pointer errors)
Cleaned up source code a bit more.

Version 2.4, August 3rd 1999

Now using MD5 for determining CBC initialization vector.
ECB mode security improved by XORing with the initialization vector.
Cleaned up source code a bit.

Version 2.3, August 1st 1999

Bug in Maw~'s MD5 module caused any pwd to result in the same key. Faulty MD5 module replaced by official RSA implementation.

Version 2.2, July 30th 1999

Fixed eternally stupid bug disabling CBC-Mode.
Updated old label returned by query. Silly me.

Version 2.1, July 29th 1999

Support for passwords up to 255 chars long.
Some bug fixes in MD5 module by Maw~.

Version 2.0, July 28th 1999

Did a complete implementation of CAST-256 from scratch (RFC).
First release, immediately a great success.
Now the strongest available encryption for BO2K, internationally.

Version 1.1, July 26th 1999

Added CBC-Mode.

Version 1.0, July 25th 1999

Used Norwegian implementation of CAST-128.

Usage / Installation

Add the plugin to both the client and the server, be sure to configure matching key strings. You should now be able to select CAST from any encryption drop-down menu, and you can specify CAST in any Encryption setting. Please be sure to use CAST both in the client and the server, otherwise it wont work (surprise, surprise).

If you can't figure out how to add plugins I suggest you go to your local software store and acquire a copy of PC Anywhere [tm], so you wont have to coap with the tremendous difficult task of adding a plugin :-P

CBC Mode

Many commonly used ciphers (e.g., CAST-256, Serpent, IDEA) are block ciphers. This means that they take a fixed-size block of data (usually 128 bits), and transform it to another 128 bit block using a function selected by the key. The cipher basically defines a one-to-one mapping from 128-bit integers to another permutation of 128-bit integers.

If the same block is encrypted twice with the same key, the resulting ciphertext blocks are the same (this method of encryption is called Electronic Code Book mode, or ECB). This information could be useful for an attacker.

In practical applications, it is desirable to make identical plaintext blocks encrypt to different ciphertext blocks. The Cypher Block Chaining (CBC) Mode does exactly that: a ciphertext block is obtained by first XORing the plaintext block with the previous ciphertext block, and encrypting the resulting value.

This plugin implements only CBC, as BO2K encrypts data in chunks which have to be decoded completely. Even if using UDPIO, data is sent in small, independantly encrypted packets. Thus, ECB mode is not required, it merely made configuration more irritating.

The Algorithm

The CAST-128 cipher is described in "Constructing Symmetric Ciphers Using the CAST Design Procedure" by Carlisle Adams and in RFC 2144 "The CAST-128 Encryption Algorithm" also by Carlisle Adams. RFC 2612 "The CAST-256 Encryption Algorithm" offers an extension of the algorithm to keysizes up to 256 and blocksize of 128 bits.

The CAST encryption algorithm is a DES-like Substitution-Permutation Network (SPN) cryptosystem which appears to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis. This cipher also possesses a number of other desirable cryptographic properties, including avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no complementation property, and an absence of weak and semi-weak keys. It thus appears to be a good candidate for general-purpose use throughout the Internet community wherever a cryptographically-strong, freely-available encryption algorithm is required.

This cipher appears to have cryptographic strength in accordance with its keysize (256 bits) and has very good encryption / decryption performance.

Legal Issues

Entrust Technologies / Nortel, under whose aegis the CAST algorithm was developed, have allowed free use of the algorithm for any purpose.

RFC 2144, in which CAST-128 is described, states in paragraph 3: "3. Intellectual Property Considerations: The CAST-128 cipher described in this document is available worldwide on a royalty-free basis for commercial and non-commercial uses."

RFC 2612, in which CAST-256 is described, states in paragraph 4: "4. Cipher Usage: The CAST-256 cipher described in this document is available worldwide on a royalty-free and licence-free basis for commercial and non-commercial uses."

As this implementation was programmed using the RFC documents as guide and thus does not contain any code which was exported from the U.S. or Canada, this plugin constitutes no violation of the U.S. ITAR or other export regulations.

In Switzerland, export of cryptographic software is legal and not subject to export restrictions, as long as it is available for free to anyone, and no additional services from the manufacturer are required to use the product. Thus this software is exportable without restrictions. If you believe this is not accurate, please notify me immediately. I do not intend to export this software illegally.

License

This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

If you do redistribute or modify it, please let me know.

Download

This document � Daniel Roethlisberger
Source of this document:
http://www.roe.ch/bo2k