CAST5 (CAST-128) Encryption/Decryption

CAST5 (also called CAST-128) was designed by Carlisle Adams and Stafford Tavares at Nortel (Northern Telecom) and published as RFC 2144 in 1996. The algorithm name comes from the designers' initials: Carlisle Adams Stafford Tavares. It uses a 64-bit block size with variable key lengths from 40 to 128 bits in 8-bit steps, and was selected as the mandatory symmetric cipher in OpenPGP (RFC 4880) and as the default bulk cipher in GnuPG 1.x through version 1.4.

CAST5 employs three distinct round functions — Type 1 (XOR output), Type 2 (subtraction output), and Type 3 (addition output) — each selecting different pairs from eight 32-output S-boxes in a fixed sequence across rounds. Keys of 80 bits or fewer use 12 rounds; longer keys use 16 rounds. The eight S-boxes were constructed using bent Boolean functions, giving CAST5 provable resistance bounds against differential cryptanalysis that were formally established at design time rather than derived empirically.

Key Features

• Variable key length: 40–128 bits in 8-bit steps — supported both the 1990s US export-restricted 40-bit key tier and full 128-bit strength in a single algorithm
• Three distinct round functions (Type 1 XOR / Type 2 Subtract / Type 3 Add) alternating across rounds, each using a different pair of the eight 32×8-bit S-boxes
• 12 rounds for keys ≤ 80 bits; 16 rounds for 81–128-bit keys — explicit round-count compensation for reduced key entropy
• Royalty-free algorithm with no patent restrictions

Encryption Modes

• CBC: Cipher Block Chaining — each 64-bit CAST5 block is XORed with the preceding ciphertext before the 12 or 16 Feistel round-function sequence. Note: OpenPGP (RFC 4880 §13.9) mandates CFB-with-resync rather than CBC for bulk encryption; CBC is the correct mode when using CAST5 in SSH2 (CAST128-CBC, RFC 4253) contexts.
• ECB: Electronic Codebook — each 64-bit CAST5 block is independently processed through all 12 or 16 rounds. Identical 64-bit plaintext blocks always yield identical ciphertext, revealing data repetition patterns. At a 64-bit block width, a birthday-bound collision has 50% probability after ~2³² blocks (~32 GB encrypted under one key) — avoid ECB entirely.
• CTR: Counter - Converts block cipher to stream cipher, allows parallel processing
• CFB: Cipher Feedback — the specific mode mandated by OpenPGP (RFC 4880 §13.9): CAST5 in 64-bit CFB with a two-block resync step at the message start. This OpenPGP-specific CFB-with-resync allows recipients to recover synchronization and detect tampered leading blocks before discarding corrupted data.
• OFB: Output Feedback — CAST5's block function repeatedly re-encrypts the IV to generate a keystream, independent of the plaintext. With a 64-bit IV, the keystream statistical period is bounded by the birthday problem at ~2³² cycles; for large or long-lived data streams, refresh the IV periodically to prevent keystream cycle reuse.
• RAW: Single Block - Direct encryption without chaining, for single 8-byte block only

Security Considerations

• No practical full-round attack exists on CAST5-128; best published cryptanalysis reaches 6 of 16 rounds. However, CAST5 with 40-bit keys (export-grade) is trivially broken by brute force — never use keys shorter than 128 bits in any modern deployment.
• The 64-bit block size is CAST5's primary limitation: in CBC or CFB mode, a birthday-bound statistical leak emerges after ~2³² blocks (~32 GB per key). OpenPGP mitigates this with per-message session keys, but long-running streaming uses require key rotation for large data volumes.
• OpenPGP (RFC 4880 §9.2) marks CAST5 as a MUST-implement algorithm for compatibility with the installed base of GnuPG 1.x and PGP 8.x clients. New OpenPGP implementations SHOULD prefer AES-256 for freshly generated messages — CAST5 is a receive-side requirement, not a recommended default for new output.
• For all new designs, replace CAST5 with AES-128-CBC or AES-256-GCM. The 64-bit block limitation rather than any cryptanalytic weakness is the primary driver for migration; CAST5-128 itself remains unbroken when used with large-enough keys and proper IV management.

Common Use Cases

• OpenPGP email and file encryption compatibility: RFC 4880 §9.2 mandates CAST5 in all conforming OpenPGP implementations, making it necessary for interoperability with the installed base of GnuPG 1.x and PGP 8.x users who have not updated their cipher preferences
• GnuPG 1.x symmetric encryption: GnuPG 1.0 through 1.4.x defaulted to CAST5 for symmetric-key (passphrase) encryption. Decrypting files or signed messages from these GnuPG versions requires CAST5 support unless the original sender explicitly selected AES in their key preferences
• SSH2 CAST128-CBC transport cipher: RFC 4253 defines CAST128-CBC as a SHOULD-support SSH transport cipher. Legacy SSH servers and embedded devices with constrained firmware may still negotiate CAST128-CBC during the handshake if AES cipher suites are unavailable
• Forensic and archival decryption: PGP-encrypted emails, disk archives, and backup sets from the late 1990s to mid-2000s commonly use CAST5 as the bulk cipher. Recovery requires CAST5 support even when no new CAST5 output is being generated by current systems

References

• RFC 2144 - The CAST-128 Encryption Algorithm
• Wikipedia - CAST-128