We recently fixed the support for it. It is not in any of our default esp= algorithm lists, so it will only be used when explicitely configured.
Paul ---------- Forwarded message ---------- Date: Tue, 26 Aug 2014 07:24:29 From: Peter Gutmann <[email protected]> Cc: [email protected], [email protected] To: [email protected], [email protected] Subject: Re: [Cryptography] Which big-name ciphers have been broken in living memory? Bear <[email protected]> writes:
Is there any evidence that CAST5 is in any way inadequate? People are upset with use of an "Antique" algorithm? Why?
There's nothing obviously wrong with CAST, but it is nearly twenty years old and hasn't had anywhere near the analysis of AES (or 3DES), particularly against recent cryptanalysis techniques. Anything new that turns up will pretty much automatically get thrown at AES, and we know that it's resistant to it. Do we know that anyone's tried the same with CAST? From this page: https://web.archive.org/web/20071217153044/http://adonis.ee.queensu.ca/cast/ the last analysis published was in 1997 (a Google search turns up one or two newer ones, but mostly in regard to CAST5 being the ancestor of CAST-256). David Wagner's boomerang attack breaks CAST-256 with 16 rounds, and CAST5 is the predecessor of CAST-256 with...16 rounds (presumably it can't be extended back to CAST5 or someone would have announced this, but how hard has anyone looked?). CAST5 also has lots of lovely large S-boxes and S-box lookups, which would seem to make it vulnerable to assorted timing/cache/whatever side- channel attacks, but there's no indication that anyone's looked at them because they're all too busy focusing on AES instead. So we've got an algorithm that hasn't had any significant cryptanalytic attention since the late 1990s, and that could well be vulnerable to newer techniques (and in particular a whole pile of side-channel attacks), but we'll never know because as far as we know no-one's ever looked.
So, I say the burden of evidence falls on those requesting a change here. What is wrong with CAST5 that people want to get rid of it?
Show me evidence that it's immune to cryptanalytic techniques developed in the last 15 years, and to the smorgasbord of side-channel attacks that have been thrown at AES, and I'll agree with you. As Bruce Schneier likes to say, "attacks always get better, they never get worse". CAST5 has been standing still for about fifteen years while the attackers moved ahead. How do we know it's still safe? Peter. _______________________________________________ The cryptography mailing list [email protected] http://www.metzdowd.com/mailman/listinfo/cryptography _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
