Insecure CHIASMUS encryption in GSTOOL

From: Jan Schejbal <>
Subject: Insecure CHIASMUS encryption in GSTOOL

== Insecure CHIASMUS encryption in GSTOOL ==
GSTOOL versions 3.0 to 4.7 (inclusive) contain an insecure encryption
feature using the non-public CHIASMUS block cipher. Due to the use of an
insecure PRNG for key generation, files encrypted using the encryption
feature of this tool can be decrypted without knowledge of the key
within seconds to minutes.

The affected versions of GSTOOL were developed by Steria Mummert
Consulting for the German Federal Office for Information Security
(Bundesamt fr Sicherheit in der Informationstechnik, BSI) and released
by the BSI.

We reported the issue to the BSI in November 2011. The BSI issued an
advisory warning users to stop using the encryption feature in the same
month. A patch disabling the vulnerable encryption feature was released
in June 2013. We later learned that the issue was independently
discovered by Felix Schuster in 2009.

For full details including further issues found, please see the German
advisory, available at
Since this is an implementation issue, the CHIASMUS block cipher itself
and other products (e.g. Chiasmus for Windows) using the CHIASMUS block
cipher are NOT affected.

Kind regards,
Jan Schejbal

Copyright © 1995-2020 All rights reserved.