gnu.javax.crypto.cipher

Class Cast5

Implemented Interfaces:
Cloneable, IBlockCipher, gnu.javax.crypto.cipher.IBlockCipherSpi

public class Cast5
extends BaseCipher

An implmenetation of the CAST5 (a.k.a. CAST-128) algorithm, as per RFC-2144, dated May 1997.

In this RFC, Carlisle Adams (the CA in CAST, ST stands for Stafford Tavares) describes CAST5 as:

"...a DES-like Substitution-Permutation Network (SPN) cryptosystem which appears to have good resistance to differential cryptanalysis, linear cryptanalysis, and related-key cryptanalysis. This cipher also possesses a number of other desirable cryptographic properties, including avalanche, Strict Avalanche Criterion (SAC), Bit Independence Criterion (BIC), no complementation property, and an absence of weak and semi-weak keys."

CAST5 is a symmetric block cipher with a block-size of 8 bytes and a variable key-size of up to 128 bits. Its authors, and their employer (Entrust Technologies, a Nortel majority-owned company), made it available worldwide on a royalty-free basis for commercial and non-commercial uses.

The CAST5 encryption algorithm has been designed to allow a key size that can vary from 40 bits to 128 bits, in 8-bit increments (that is, the allowable key sizes are 40, 48, 56, 64, ..., 112, 120, and 128 bits. For variable keysize operation, the specification is as follows:

  1. For key sizes up to and including 80 bits (i.e., 40, 48, 56, 64, 72, and 80 bits), the algorithm is exactly as specified but uses 12 rounds instead of 16;
  2. For key sizes greater than 80 bits, the algorithm uses the full 16 rounds;
  3. For key sizes less than 128 bits, the key is padded with zero bytes (in the rightmost, or least significant, positions) out to 128 bits (since the CAST5 key schedule assumes an input key of 128 bits).

References:

  1. The CAST-128 Encryption Algorithm.
    Carlisle Adams.

Field Summary

Fields inherited from class gnu.javax.crypto.cipher.BaseCipher

currentBlockSize, currentKey, defaultBlockSize, defaultKeySize, lock, name

Fields inherited from interface gnu.javax.crypto.cipher.IBlockCipher

CIPHER_BLOCK_SIZE, KEY_MATERIAL

Constructor Summary

Cast5()
Trivial 0-arguments constructor.

Method Summary

Iterator<E>
blockSizes()
Returns an Iterator over the supported block sizes.
Object
clone()
Returns a clone of this instance.
void
decrypt(byte[] in, int i, byte[] out, int j, Object k, int bs)
Decrypts exactly one block of ciphertext.
void
encrypt(byte[] in, int i, byte[] out, int j, Object k, int bs)
The full encryption algorithm is given in the following four steps.
Iterator<E>
keySizes()
Returns an Iterator over the supported key sizes.
Object
makeKey(byte[] uk, int bs)
Expands a user-supplied key material into a session key for a designated block size.
boolean
selfTest()
A correctness test that consists of basic symmetric encryption / decryption test(s) for all supported block and key sizes, as well as one (1) variable key Known Answer Test (KAT).

Methods inherited from class gnu.javax.crypto.cipher.BaseCipher

clone, currentBlockSize, decryptBlock, defaultBlockSize, defaultKeySize, encryptBlock, init, name, reset, selfTest, testKat, testKat

Methods inherited from class java.lang.Object

clone, equals, extends Object> getClass, finalize, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

Cast5

public Cast5()
Trivial 0-arguments constructor.

Method Details

blockSizes

public Iterator<E> blockSizes()
Returns an Iterator over the supported block sizes. Each element returned by this object is an Integer.
Specified by:
blockSizes in interface IBlockCipher
blockSizes in interface gnu.javax.crypto.cipher.IBlockCipherSpi
Returns:
an Iterator over the supported block sizes.

clone

public Object clone()
Returns a clone of this instance.
Specified by:
clone in interface IBlockCipher
Overrides:
clone in interface BaseCipher
Returns:
a clone copy of this instance.

decrypt

public void decrypt(byte[] in,
                    int i,
                    byte[] out,
                    int j,
                    Object k,
                    int bs)
Decrypts exactly one block of ciphertext.
Specified by:
decrypt in interface gnu.javax.crypto.cipher.IBlockCipherSpi
Parameters:
in - the ciphertext.
out - the plaintext.
k - the session key to use.
bs - the block size to use.
Throws:
IllegalArgumentException - if the block size is invalid.
ArrayIndexOutOfBoundsException - if there is not enough room in either the plaintext or ciphertext buffers.

encrypt

public void encrypt(byte[] in,
                    int i,
                    byte[] out,
                    int j,
                    Object k,
                    int bs)
The full encryption algorithm is given in the following four steps.
    INPUT:  plaintext m1...m64; key K = k1...k128.
    OUTPUT: ciphertext c1...c64.
 
  1. (key schedule) Compute 16 pairs of subkeys {Kmi, Kri} from a user key (see makeKey() method).
  2. (L0,R0) <-- (m1...m64). (Split the plaintext into left and right 32-bit halves L0 = m1...m32 and R0 = m33...m64.).
  3. (16 rounds) for i from 1 to 16, compute Li and Ri as follows:
    • Li = Ri-1;
    • Ri = Li-1 ^ F(Ri-1,Kmi,Kri), where F is defined in method F() -- f is of Type 1, Type 2, or Type 3, depending on i, and ^ being the bitwise XOR function.
    • c1...c64 <-- (R16,L16). (Exchange final blocks L16, R16 and concatenate to form the ciphertext.)

    Decryption is identical to the encryption algorithm given above, except that the rounds (and therefore the subkey pairs) are used in reverse order to compute (L0,R0) from (R16,L16).

    Looking at the iterations/rounds in pairs we have:

        (1a)    Li = Ri-1;
        (1b)    Ri = Li-1 ^ Fi(Ri-1);
        (2a)    Li+1 = Ri;
        (2b)    Ri+1 = Li ^ Fi+1(Ri);
     
    which by substituting (2a) in (2b) becomes
        (2c)    Ri+1 = Li ^ Fi+1(Li+1);
     
    by substituting (1b) in (2a) and (1a) in (2c), we get:
        (3a)    Li+1 = Li-1 ^ Fi(Ri-1);
        (3b)    Ri+1 = Ri-1 ^ Fi+1(Li+1);
     
    Using only one couple of variables L and R, initialised to L0 and R0 respectively, the assignments for each pair of rounds become:
        (4a)    L ^= Fi(R);
        (4b)    R ^= Fi+1(L);
     
    Specified by:
    encrypt in interface gnu.javax.crypto.cipher.IBlockCipherSpi
    Parameters:
    in - contains the plain-text 64-bit block.
    i - start index within input where data is considered.
    out - will contain the cipher-text block.
    j - index in out where cipher-text starts.
    k - the session key object.
    bs - the desired block size.

    keySizes

    public Iterator<E> keySizes()
    Returns an Iterator over the supported key sizes. Each element returned by this object is an Integer.
    Specified by:
    keySizes in interface IBlockCipher
    keySizes in interface gnu.javax.crypto.cipher.IBlockCipherSpi
    Returns:
    an Iterator over the supported key sizes.

    makeKey

    public Object makeKey(byte[] uk,
                          int bs)
                throws InvalidKeyException
    Expands a user-supplied key material into a session key for a designated block size.
    Specified by:
    makeKey in interface gnu.javax.crypto.cipher.IBlockCipherSpi
    Parameters:
    bs - the desired block size in bytes.
    Returns:
    an Object encapsulating the session key.
    Throws:
    IllegalArgumentException - if the block size is invalid.
    InvalidKeyException - if the key data is invalid.

    selfTest

    public boolean selfTest()
    A correctness test that consists of basic symmetric encryption / decryption test(s) for all supported block and key sizes, as well as one (1) variable key Known Answer Test (KAT).
    Specified by:
    selfTest in interface IBlockCipher
    selfTest in interface gnu.javax.crypto.cipher.IBlockCipherSpi
    Overrides:
    selfTest in interface BaseCipher
    Returns:
    true if the implementation passes simple correctness tests. Returns false otherwise.

    Cast5.java -- Copyright (C) 2003, 2006 Free Software Foundation, Inc. This file is a part of GNU Classpath. GNU Classpath is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. GNU Classpath is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with GNU Classpath; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA Linking this library statically or dynamically with other modules is making a combined work based on this library. Thus, the terms and conditions of the GNU General Public License cover the whole combination. As a special exception, the copyright holders of this library give you permission to link this library with independent modules to produce an executable, regardless of the license terms of these independent modules, and to copy and distribute the resulting executable under terms of your choice, provided that you also meet, for each linked independent module, the terms and conditions of the license of that module. An independent module is a module which is not derived from or based on this library. If you modify this library, you may extend this exception to your version of the library, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.