GOST Cipher Suite
GOST 28147-89 / Magma Russian symmetric encryption with multiple modes and S-Box options
⚠️ Educational Use Only
GOST 28147-89 is cryptographically outdated. For new projects, use AES instead. This tool is for testing, learning, and legacy system maintenance only.
About GOST 28147-89 & Magma
GOST 28147-89 is a Soviet symmetric encryption standard published in 1989 under the designation “State Standard of the USSR 28147-89.” Its 32-round modified Feistel network processes 64-bit blocks with a 256-bit key. Each round applies the round key via modular addition (mod 2³², not XOR), performs a 32×8-bit S-box substitution across eight 4-bit nibble S-boxes, and rotates the result 11 bits left. The use of addition rather than XOR for key injection distinguishes GOST from most Western Feistel ciphers of the era.
GOST 28147-89's original S-boxes were classified as a state secret and not publicly published — different Soviet ministries and industrial sectors operated with different S-box parameters, creating interoperability barriers and enabling potential backdoor concerns. The CryptoPro company standardized four interoperable S-box parameter sets (CryptoPro-A through D) in RFC 4357 (2006). In 2011, Nicolas Courtois published a reflection attack reducing GOST's security to approximately 2²²⁵ operations (vs 2²⁵⁶ for brute force), though the practical exploitability remains disputed. Like all 64-bit block ciphers, GOST 28147-89 is vulnerable to Sweet32 birthday attacks in CBC mode after approximately 32 GB under the same key.
About Magma (GOST R 34.12-2015)
Magma is the informal name for the GOST 28147-89 variant standardized as GOST R 34.12-2015 (Russian national standard). Published in 2015 and specified in RFC 8891 (2020), Magma uses the same 64-bit block, 256-bit key, 32-round Feistel structure as GOST 28147-89 but with a single mandatory, publicly published S-box parameter set (“id-tc26-gost-28147-param-Z”). The public S-box resolves the interoperability and hidden-parameter concerns of the original GOST standard.
Magma is intended for legacy compatibility with GOST 28147-89 systems while removing the S-box confidentiality issues. For new Russian information security applications requiring a block cipher, GOST R 34.12-2015 also defines Grasshopper (Kuznyechik) — a 128-bit block, 256-bit key, 10-round SP-network cipher. Magma (64-bit block) carries the same Sweet32 risk as GOST 28147-89; key rotation before 32 GB of CBC data under the same key is mandatory.
GOST 28147-89 History
GOST 28147-89 was developed by the KGB’s 8th Chief Directorate (responsible for cryptography) in the 1970s and 1980s and formally published in 1989. It remained classified until 1994, when it was declassified and made available as a civilian standard. The S-box parameters were withheld even in the declassified version, with different parameter sets distributed to different industrial sectors under non-disclosure agreements. The CryptoPro S-boxes (RFC 4357, 2006) and the later Magma standard (RFC 8891, 2020) represent the gradual transition from classified to open cryptographic parameters. GOST 28147-89 and Magma are still required in Russian government, banking, and legal applications under GOST R 34.12-2015 compliance requirements.
Algorithm Comparison
| Algorithm | Type | Key Length | Block Size | Security | Rounds |
|---|---|---|---|---|---|
| GOST 28147-89 | Block Cipher | 256-bit (32 bytes) | 64-bit (8 bytes) | Moderate | 32 |
| Magma (GOST R 34.12-2015) | Block Cipher | 256-bit (32 bytes) | 64-bit (8 bytes) | Moderate | 32 |
| AES | Block Cipher | 128, 192, 256-bit | 128-bit (16 bytes) | Excellent | 10-14 |
Key Features
- 64-bit block size - Suitable for smaller data blocks
- 256-bit key length - Larger key space than DES
- 32 rounds - Strong diffusion and confusion properties
- Multiple modes - ECB, CBC, CFB, OFB, CTR support
Security Considerations
- In 2011, Nicolas Courtois published a reflection attack against GOST 28147-89, reducing its claimed security from 2²⁵⁶ to approximately 2²²⁵ operations. The attack requires 2³² chosen plaintexts. Subsequent analysis disputed whether the attack is practically exploitable against real implementations (it assumes specific key properties), but GOST 28147-89 is now considered deprecated for new Russian federal applications in favor of Grasshopper.
- Sweet32 (CVE-2016-2183, 2016): GOST 28147-89 and Magma share the same 64-bit block-size weakness as Triple-DES and Blowfish. After approximately 32 GB of CBC-mode traffic under the same key, birthday-bound block collisions become statistically exploitable to recover plaintext. The same limit applies to CFB and CTR modes; all modes require key rotation before 2³² block-equivalents of processing.
- For all new applications requiring a Russian GOST-family block cipher, use Grasshopper (Kuznyechik, GOST R 34.12-2015, 128-bit block, 256-bit key, 10 rounds). GOST 28147-89 and Magma are appropriate for: decrypting existing Russian government archives, legacy financial system compatibility, and understanding the design trade-offs of Soviet-era block cipher engineering.
Use Cases
- Russian government and banking legacy data: GOST 28147-89 and Magma are legally mandated in RF federal information security frameworks; legacy data encrypted under these standards requires GOST-compatible tools for audit, migration, and archival decryption
- GOST TLS compatibility: Russian banking and government TLS implementations (GOST TLS using GOST cipher suites) require Magma-CBC or GOST 28147-89-CBC for legacy session decryption and protocol analysis
- Ukrainian DSTU applications: the DSTU 4145-2002 variant (with DSTU S-box parameter) is used in Ukrainian government documents and certificate chains; decrypting DSTU-encrypted material requires the DSTU S-box parameter set
- GOST cryptographic research: GOST 28147-89's classified history, S-box diversity, and the Courtois reflection attack analysis make it an important subject for post-Soviet cryptographic standardization research, illustrating the security implications of classified cipher parameters
References & Documentation
Related Tools
AES Encryption/Decryption
Securely encrypt and decrypt text using AES algorithm
Twofish Encryption/Decryption
AES finalist symmetric cipher with 128-bit blocks and 128/192/256-bit keys, designed by Bruce Schneier
Blowfish Encryption/Decryption
Fast symmetric block cipher with variable key length (32-448 bits), designed by Bruce Schneier