CAST-256 Strong Encryption Plugin for Back Orifice 2000
  
  Copyright (C) 1999, Daniel Roethlisberger
  
  Version 2.4, August 3rd, 1999



------[ Description ]

  This is a plugin for the remote administration suite Back
  Orifice 2000 (BO2K) from the one and only, the Cult of the
  Dead Cow (cDc). Released at DEFCON 7, BO2K was subject to
  massive hype even weeks before the actual release of it.
  
  This plugin adds CAST6-256 encryption capability to your BO2K,
  with or without CBC-Mode. The strongest available encryption
  for BO2K. As simple as that. Isn't that great?



------[ Security Considerations ]

  CAST-256 offers the strongest encryption power known to
  Back Orifice 2000. CAST-256 uses user keys of 256 bits length
  (Comparison: TripleDES 168 bits, IDEA 128 bits). There are no
  known attacks against the algorithm. The plugin implements
  both ECB and CBC modes for either improved security (CBC) or
  more transport flexibility (ECB).
  
  The canadian algorithm CAST-256 is one of the candidates for
  the Advanced Encryption Standard AES, which will be the
  successor of the Data Encryption Standard (DES). I tested my
  CAST-256 implementation against the test vectors defined in
  RFC 2612 to ensure its validity, and I used the official MD5
  reference implementation from RSA.
  
  To sum it up: I would call CAST-256 absolutely secure at present
  and near future technology level.



------[ What's New? ]

  v2.4, August 3rd 1999  Using MD5 for determining initialization vector
                         and abusing the initialization vector to XOR the
                         data blocks in ECB mode. Improved security.
  
  v2.3, August 1st 1999  Password bug has been fixed. Cos I used Maw~'s
                         faulty MD5 module, the password did not matter
                         at all, dangerously. You should have me shot
                         for being so stupid. I'm using the official
                         implementation from RSA now.
  
  v2.2, July 30th 1999   Fixed eternally stupid bug disabling CBC-Mode.
                         Updated old label returned by query. Silly me.
  
  v2.1, July 29th 1999   Support for passwords up to 256 chars long.
                         Some bug fixes in MD5 module by Maw~ as well.
  
  v2.0, July 28th 1999   Did a complete implementation of CAST-256
                         from scratch (RFC) in place of CAST-128.
                         First release. Great success. Scored 5
                         stars at bo2k.com, had hundreds of
                         downloads in the first 24 hours.
  
  v1.1, July 26th 1999   Added CBC-Mode. Some bug fixes as well.
  
  v1.0, July 25th 1999   Used Norwegian implementation of CAST-128.
                         Worked fine. I never released this version.



------[ Usage / Installation ]

  Add the plugin to both the client and the server, be sure to
  configure matching key strings and check the CBC setting.
  You should now be able to select CAST from any encryption
  drop-down menu, and you can specify CAST in any Encryption
  setting. Please be sure to use CAST both in the client and
  the server, otherwise it wont work (surprise, surprise).
  
  If you can't figure out how to add plugins I suggest you go to
  your local software store and acquire a copy of PC Anywhere [tm],
  so you wont have to coap with the tremendous difficult task of
  adding a plugin :-P



------[ ECB vs. CBC Mode ]

  Many commonly used ciphers (e.g., IDEA, DES, Blowfish) are block
  ciphers. This means that they take a fixed-size block of data
  (usually 64 bits), and transform it to another 64 bit block
  using a function selected by the key. The cipher basically
  defines a one-to-one mapping from 64-bit integers to another
  permutation of 64-bit integers. CAST-256 uses blocks of 128 bits.
  
  If the same block is encrypted twice with the same key, the
  resulting ciphertext blocks are the same (this method of
  encryption is called Electronic Code Book mode, or ECB).
  This information could be useful for an attacker.
  
  In practical applications, it is desirable to make identical
  plaintext blocks encrypt to different ciphertext blocks. The
  Cypher Block Chaining (CBC) Mode does exactly that: a ciphertext
  block is obtained by first XORing the plaintext block with the
  previous ciphertext block, and encrypting the resulting value.
  
  Thus the complete cypher stream is needed in order to decode.
  Any missing or displaced blocks and there's no chance of
  decoding it anymore. So if you are using unreliable means of
  transport, such as UDPIO, you should turn CBC Mode off.



------[ Algorithm ]

  The CAST-128 cipher is described in "Constructing Symmetric
  Ciphers Using the CAST Design Procedure" by Carlisle Adams
  and in RFC 2144 "The CAST-128 Encryption Algorithm" also by
  Carlisle Adams. RFC 2612 "The CAST-256 Encryption Algorithm"
  offers an extension of the algorithm to keysizes up to 256
  and blocksize of 128 bits.
  
  The CAST encryption algorithm is a DES-like Substitution-
  Permutation Network (SPN) cryptosystem which appears to have
  good resistance to differential cryptanalysis, linear crypt-
  analysis, and related-key cryptanalysis.  This cipher also
  possesses a number of other desirable cryptographic properties,
  including avalanche, Strict Avalanche Criterion (SAC), Bit
  Independence Criterion (BIC), no complementation property, and
  an absence of weak and semi-weak keys.  It thus appears to be a
  good candidate for general-purpose use throughout the Internet
  community wherever a cryptographically-strong, freely-available
  encryption algorithm is required.
  
  CAST-256 is a 12-round Feistel cipher that has a blocksize of
  128 bits and a keysize of up to 256 bits; it uses rotation to
  provide intrinsic immunity to linear and differential attacks;
  it uses a mixture of XOR, addition and subtraction (modulo 2**32)
  in the round function; and it uses three variations of the round
  function itself throughout the cipher. Finally, the 8x32 s-boxes
  used in the round function each have a minimum nonlinearity of 74
  and a maximum entry of 2 in the difference distribution table.
  
  This cipher appears to have cryptographic strength in accordance
  with its keysize (256 bits) and has very good encryption /
  decryption performance.
  
  The 256 bit user key used by the CAST engine is constructed by
    UserKey = MD5(string1 + pwstring) + MD5(pwstring + string2);
  The Initialization Vector used by CBC/ECB modes is derived by
    InitVect = MD5(string3 + pwstring + string4);
  Whereby "+" denotes a concatenation.



------[ Legal Crap ]

  Entrust Technologies / Nortel, under whose aegis the CAST
  algorithm was developed, have allowed free use of the algorithm
  for any purpose.
  
  RFC 2144, in which CAST-128 is described, states in paragraph 3:
  "3. Intellectual Property Considerations:
   The CAST-128 cipher described in this document is available
   worldwide on a royalty-free basis for commercial and non-
   commercial uses."
  
  RFC 2612, in which CAST-256 is described, states in paragraph 4:
  "4. Cipher Usage:
   The CAST-256 cipher described in this document is available
   worldwide on a royalty-free and licence-free basis for commercial
   and non-commercial uses."
  
  As this implementation was programmed using the RFC documents as
  guide and thus does not contain any code which was exported from
  the U.S., this plugin constitutes no violation of the U.S. ITAR
  export regulations.
  
  I am a citicen of Switzerland, and my web server is located in
  Germany, so neither got anything to do with the US. But let's
  wait for Wassenaar - could change things a little to the worse :(



------[ License ]

  This program is free software; you can redistribute it and/or
  modify it under the terms of the GNU General Public License as
  published by the Free Software Foundation; either version 2 of
  the License, or (at your option) any later version.
  
  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.
  
  You should have received a copy of the GNU General Public
  License along with this program; if not, write to the Free
  Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
  MA  02111-1307  USA
  
  If you do redistribute or modify it, please let me know.



------[ Thanx To ]

  DilDog
    for answering my mails and for making BO2K possible
  the rest at cDc
    for being the rest at cDc
  Maw~
    for fixing the MD5 module very fast
  Graeme and the rest of the the crowd at alt.fan.cult-dead-cow
    for making information exchange possible
  Bernstein and the EFF
    for having won a first law suit against the administration
    concerning the export regulations of crypto source code



------[ Contact ]

  Daniel Roethlisberger
  E-Mail:             <admin@roe.ch>
  Web:                http://www.roe.ch/download/bo_cast.shtml
  ICQ:                4646931
  
  Get my PGP-Key with ID 0x8DE543ED at ldap://certserver.pgp.com.
  
  Visit the official BO2K site at http://www.bo2k.com.



------[ Over and Out ]

  <<better than any handle>>