Scapysec v1.0 (IPsec for Scapy) - README

Frédéric Roudaut

Creation : 12/2006
Last Update: Sun September 27 2009 02:15:21 AM

1 - INTRODUCTION : Scapy & Scapysec

5 - SECURITY ASSOCIATIONS DATABASE (SAD)

5.3 - AUTHENTICATION ALGORITHM

6 - ENCRYPTION ON THE FLIGHT : IPsec Class

ANNEX A - IPSEC ALGORITHMS AND KEYS

A.1.2 : TripleDES-CBC [RFC2451]

A.1.6 : BLOWFISH-CBC [RFC2451]

A.1.9 : HMAC-SHA1-96 [RFC2404]

A.1.11 : HMAC-RIPEMD160-96 [RFC2857]

A.1.12 : AES-XCBC-MAC-96 [RFC3566]

1 - INTRODUCTION : Scapy & Scapysec

Scapy (http://www.secdev.org/projects/scapy/) is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc

Scapy6 (http://namabiiru.hongo.wide.ad.jp/scapy6/) is an extension to handle IPv6 Packets.

The Scapysec goal is to extend Scapy to handle IPsec packets with IPv4 or IPv6. Ie to encode/decode IPsec packets, generate any valid/invalid IPsec Packet using different encryption and authentication algorithms.
On this basis, some more complex applications could be build up.

Currently, Scapysec supports ESP with :

Encryption Algorithm (Key Lengths in bits) <block length in bytes>
- NULL : (Any)
- TripleDES-CBC [RFC2451] : (192) <8>
- AES-CBC [RFC3602] : (128/192/256) <16>
- AES-CTR [RFC3686] : (160/224/288) The remaining 32 bits will be used as nonce. <16>
- DES-CBC [RFC2405] : (64) <8>
- BLOWFISH-CBC : (Any) <8>
- CAST5-CBC : (40, 48, 56, ..., 120, and 128 bits.) <8>

Authentication Algorithm (Key Lengths in bits)
- NULL
- HMAC-SHA1-96 [RFC2404] : (Any)
- HMAC-MD5-96 [RFC2403] : (Any)
- HMAC-SHA256-96 : (Any)
- AES-XCBC-MAC-96 [RFC3566] : (128)
- HMAC-RIPEMD160-96 [RFC2857] : (Any)

2 - OVERVIEW

The example will be explained later but shows how it is simple to generate encrypted IPsec packets.

>>> q = IP(dst="192.168.0.6")/ESP(spi=5)/TCP()
>>> q.show2()
== IPv4 IPsec SA Used for: <Src: 192.168.0.2> <Dst: 192.168.0.6> <Spi: 5> ==
<Src: *> <Dst: 192.168.0.6> <Spi: *>
Crypt Algo: AES-CTR
Crypt Key: 00001234abc12ffffbc1
Auth Algo: HMAC-MD5-96
Auth Key: 5632abc1azefvc

###[ IP ]###
version= 4L
ihl= 5L
tos= 0x0
len= 80
id= 1
flags=
frag= 0L
ttl= 64
proto= IPv6-Crypt
chksum= 0xf922
src= 192.168.0.2
dst= 192.168.0.6
options= ''
###[ ESP ]###
spi= 0x5L
seq= 0L
data= 0
iv= '\xc7\xaem\xba<\x08i\x93'
pad= 'XyYkQx8RDl'
padlen= 10
nh= TCP
authentication= '\n\xf8[\x1a\xe0\xaf\xc1\xab4f\x0f\xda'
###[ TCP ]###
sport= ftp-data
dport= http
seq= 0L
ack= 0L
dataofs= 5L
reserved= 0L
flags= S
window= 8192
chksum= 0xe26
urgptr= 0
options= {}

In this example we have several things. Indeed the packet matchs what we will call a Security Association:

<Src: *> <Dst: 192.168.0.6> <Spi: *>

Then the packet is created. All the fields are filled, the packet is encrypted and the authentication is computed and appended according to the Algorithm specified in the Security Association

When q.show2() is called, the reverse is done. The security Association matching the packet is found and the packet is decrypted before the printing as it has been sent by another host on the network.

3 - NEEDS AND INSTALLATION

Scapysec uses the Python language 2.3 or upcomming versions. First, you need to have scapy.py and scapy6.py if you want to be able to generate IPsec packets with IPv6. You also need pycrypto since all the encryption/decryption is done using this library.

Thus get :

Scapysec: http://roudaut.frederic.free.fr/data/scapysec/scapysec.py

Scapy6: http://namabiiru.hongo.wide.ad.jp/scapy6/

Oups, you also need a few adaptions to Scapy (instead of the orginal one). You may download it to :
http://roudaut.frederic.free.fr/data/scapysec/scapy.py.

If you plan to use AES-XCBC-MAC-96 as authentication algorithm you will probably need to get my implementation of this algorithm. Thus, get it Here http://roudaut.frederic.free.fr/data/scapysec/modules/XCBCMAC.py

To have a convenient way to use AES-XCBC-MAC-96, I put it in the pycrypto module path. (for me it is "/usr/lib/python2.4/site-packages/Crypto/Hash/XCBCMAC.py". Moreover you should indicate this new algorithm to the __init__.py file in the folder:

__all__ = ['HMAC', 'MD2', 'MD4', 'MD5', 'RIPEMD', 'SHA', 'SHA256','XCBCMAC']

Once you get all, just do: python ./scapysec.py

4 - The ESP CLASS

The different fields of the ESP layer may be seen using ls(). If you do not know about Scapy, this command gives the field name, the type, the value and the default value for this field

>>> ls(ESP())
spi : XIntField = 0 (0)
seq : IntField = 0 (0)
data : StrField = None (None)
iv : StrField = None (None)
pad : StrField = None (None)
padlen : ByteField = None (None)
nh : ByteEnumField = None (None)
authentication : StrField = None (None)

The fields are the following :

spi : Security Parameters Index
seq : Sequence Number
data : data field is used to give directly encrypted data for iv + pad + padlen + nh
iv : Initialization Vector. Computed if not set. The size is precised by the Encryption Algorithm
pad : Filled if not set and depending from the Encryption Algorithm
padlen : Pad length. Computed if not set
nh : Next Header. Set if not set
authentication : Computed if available

pad, padlen and iv lengths are depending from the Encryption Algorithms. As you may create packets that will fail with Encryption, they will be corrected if inadequate.

The data field will be used to directly give encrypted data for iv + pad + padlen + nh

As you may see, you now have to find a way to indicate:

the Encryption Algorithm
the Encryption Key
the Authentication Algorithm
the Authentication Key

These elements will be indicated in the Security Associations Database

5 - SECURITY ASSOCIATIONS DATABASE (SAD)

Here is an example of the SAD

ipsec_sad_example = {'IPV4' : [['192.168.0.2','192.168.0.1','5','ESP','BLOWFISH-CBC','azdregrnytnytftg','HMAC-SHA1-96',
'ecuheznbevnbevabgj'],
['192.168.*.2','192.168.0.5','5','ESP','DES-CBC','5632abc1','HMAC-SHA1-96','5632abc1azefvc'],
['192.168.0.2','192.168.0.3','0x0**0**05','ESP','AES-CBC','1234abc12ffffbc1','HMAC-SHA1-96',
'5632abc1azefvc'],
['192.168.0.2','192.168.0.7','*','ESP','AES-CBC','1234abc12ffffbc1','HMAC-SHA256-96',
'5llll632abc1azefvc'],
['*','192.168.0.6','*','ESP','AES-CTR','1234abc12ffffbc1','HMAC-MD5-96','5632abc1azefvc'],
['192.168.*.2','192.168.0.8','*','ESP','DES-CBC','5632abcuyfyuf1','HMAC-SHA1-96','5632abc1azefvc'],
['192.168.*.2','192.168.0.12','*','ESP','DES-CBC','5632abcuyfyuf1','HMAC-MD5-96','5632abc1azefvc'],
['192.168.0.2','192.*.0.4','*','ESP','NULL','','NULL','']],
'IPV6' : [['*','fe80::240:96ff:fea7:c5d1','5','ESP','DES-CBC','5632abc1','HMAC-SHA1-96',
'5632abc1azefvc'],
['*','3ffe::3','0x0**0**05','ESP','AES-CBC','1234abc12ffffbc1','HMAC-SHA1-96','5632abc1azefvc'],
['','3f*e::4','*','ESP','AES-CBC','1234abc12ffffbc1','HMAC-SHA256-96','5llll632abc1azefvc']]}

The SAD is a dictionnary {'IPV4':[],'IPV6':[]}. One entry is for IPv4, the other one is for IPv6. Each one contains a list of Security Associations (SAs).
The SA described hereafter gives:

the source address filter: '192.168.0.2'
the destination address filter: '192.168.0.1'
the SPI filter: '5'
the protocol: 'AH' or 'ESP'
the Encryption Algorithm : 'BLOWFISH-CBC'
the Encryption Key : 'azdregrnytnytftg'
the Authentication Algorithm : 'HMAC-SHA1-96
the Authentication Key : 'ecuheznbevnbevabgj'

['192.168.0.2','192.168.0.1','5','ESP','BLOWFISH-CBC','azdregrnytnytftg','HMAC-SHA1-96','ecuheznbevnbevabgj']

When an IPsec Packet is sent or received, the corresponding SAD entry (IPv4 or IPv6) is checked. If the packet is catched by one security association, it will be encrypted or decrypted using the associated algorithms and keys.

5.1 - PACKET MATCHING WITH SA

An IPsec packet is catched by a security association if its source, destination address and SPI match a corresponding entry in the SAD. The matching uses the wildcard '*'.

Address are string. It may be IPv4 ('192.168.0.2') or any IPv6 address ('3FFE::1' or 'fe80::240:96ff:fea7:c5d0'). You may use '*' to indicate any address or '*' in the address string.
For IPv4, we then may have '192.168.*.2'. Each '*' means 1 byte.
For IPv6, each '*' means 4 bits. ('3FF*::1', 'fe80::240:96ff:fea7:c5d0')

The SPI is a string but it may represent an integer value ('8') or an hexadecimal value ( '0x23').
You also may use '*' to indicate any SPI or even '*' in the hexadecimal SPI string as '0x34*6'. In this case we do not mind about the hexadecimal value between the '4' and the '6'.

5.2 - ENCRYPTION ALGORITHMS

The Encryption Algorithms available are given hereafter. Between () we give the key length available in bits. Between <> we indicate the block size in bytes

NULL : (Any)
3DES-CBC [RFC2451] : (192) <8>
AES-CBC : (128/192/256) <16>
AES-CTR : (160/224/288) The remaining 32 bits will be used as nonce. <16>
DES-CBC [RFC2405] : (64) <8>
BLOWFISH-CBC : (Any) <8>
CAST5-CBC : (40, 48, 56, ..., 120, and 128 bits.) <8>

A key with an incorrect length will not be used. Instead it may be truncated or enhanced.

5.3 - AUTHENTICATION ALGORITHM

The Authentication Algorithms available are given hereafter. Between () we give the key length available.

NULL : (Any)
HMAC-SHA1-96 [RFC2404] : (Any)
HMAC-MD5-96 [RFC2403] : (Any)
HMAC-SHA256-96 : (Any)
HMAC-RIPEMD160-96 : (Any)
AES-XCBC-MAC-96 [RFC3566] : (16)

A key with an incorrect length will not be used. Instead it may be truncated or enhanced.

5.4 - SETTING THE SAD

The conf Instance has been enhanced with a setkey variable that uses the _IPSEC_SAD Python Class.

Then if you do conf.setkey you get the current SAD

>>> conf.setkey
== IPv4 Security Associations ==
<Src : 192.168.0.2> <Dst : 192.168.0.1> <SPI : 5>
Mode ESP
Crypt Algo : BLOWFISH-CBC Crypt Key : azdregrnytnytftg
Auth Algo : HMAC-SHA1-96 Auth Key : ecuheznbevnbevabgj

<Src : 192.168.*.2> <Dst : 192.168.0.5> <SPI : 5>
Mode ESP
Crypt Algo : DES-CBC Crypt Key : 5632abc1
Auth Algo : HMAC-SHA1-96 Auth Key : 5632abc1azefvc

<Src : 192.168.0.2> <Dst : 192.168.0.3> <SPI : 0x0**0**05>
Mode ESP
Crypt Algo : AES-CBC Crypt Key : 1234abc12ffffbc1
Auth Algo : HMAC-SHA1-96 Auth Key : 5632abc1azefvc

<Src : 192.168.0.2> <Dst : 192.168.0.7> <SPI : *>
Mode ESP
Crypt Algo : AES-CBC Crypt Key : 1234abc12ffffbc1
Auth Algo : HMAC-SHA256-96 Auth Key : 5llll632abc1azefvc

<Src : *> <Dst : 192.168.0.6> <SPI : *>
Mode ESP
Crypt Algo : AES-CTR Crypt Key : 1234abc12ffffbc1
Auth Algo : HMAC-MD5-96 Auth Key : 5632abc1azefvc

<Src : 192.168.*.2> <Dst : 192.168.0.8> <SPI : *>
Mode ESP
Crypt Algo : DES-CBC Crypt Key : 5632abcuyfyuf1
Auth Algo : HMAC-SHA1-96 Auth Key : 5632abc1azefvc

<Src : 192.168.*.2> <Dst : 192.168.0.12> <SPI : *>
Mode ESP
Crypt Algo : DES-CBC Crypt Key : 5632abcuyfyuf1
Auth Algo : HMAC-MD5-96 Auth Key : 5632abc1azefvc

Then you may create a static configuration by doing :

>>> conf.setkey = _IPSEC_SAD(ipsec_sad_example) # Security Association Database for IPsec

5.4.1 - ADDING A SA

The simplest way to do this is to use the add command.

def add(self,proto,src,dst,spi,mode,algo_crypt,algo_key_crypt,algo_auth,algo_key_auth)

All Parameters types are strings:

proto : either 'IPV4' or 'IPV6'
src : source address filter
dst : destination address filter
spi : spi filter
mode : either 'ESP' or 'AH'
algo_crypt : Ecncryption Algorithm
algo_key_crypt : Encryption Key
algo_auth : Authentication Algorithm
algo_key_auth : Authentication Key

>>> conf.setkey.add('IPV4','*','192.168.*.42','6','ESP','AES-CBC', '1234abc12ffffbc1', 'HMAC-SHA256-96' ,'5llll632abc1azefvc')

5.4.2 - DELETING A SA

The simplest way to do this is to use the delete command.

def delete(self,proto,src,dst,spi)

All Parameters types are strings:

proto : either 'IPV4' or 'IPV6'
src : source address filter
dst : destination address filter
spi : spi filter

if proto, src, dst and spi are '*', the SAD is clear. If proto is not '*' only the corresponding one is clear. Otherwise all the entries that exactly match the parameters are removed. The character '*' used as parameter in the function means that we do not care about this field.

Thus the following example remove all entries in the IPv4 SAD that have '192.168.*.42' as destination.

>>> conf.setkey.delete('IPV4','*','192.168.*.42','*')

5.4.3 - CLEARING THE DATABASE

The following command will clear the database associated to IPv4 or IPv6

>>> def erase(self,proto)

where proto is either 'IPV4' or 'IPV6'

6 - ENCRYPTION ON THE FLIGHT : IPsec Class

Sometimes it is not convenient to set the database prior to send packets. In this case you may use the IPsec class

>>> ls(IPsec())
crypt : StrField = 'NULL' ('NULL')
crypt_key : StrField = '' ('')
auth : StrField = 'NULL' ('NULL')
auth_key : StrField = '' ('')

>>> q = IP(dst="192.168.0.6")/IPsec(crypt='AES-CTR', crypt_key='00001234abc12ffffbc1', auth='HMAC-MD5-96', auth_key='5632abc1azefvc')
ESP(spi=5)/TCP()

>>> q.show()
###[ IP ]###
version= 4
ihl= 0
tos= 0x0
len= 0
id= 1
flags=
frag= 0
ttl= 64
proto= IPv6-Crypt
chksum= 0x0
src= 192.168.0.2
dst= 192.168.0.6
options= ''
###[ IPsec ]###
crypt= 'AES-CTR'
crypt_key= '00001234abc12ffffbc1'
auth= 'HMAC-MD5-96'
auth_key= '5632abc1azefvc'
###[ ESP ]###
spi= 0x5
seq= 0
data= 0
iv= 0
pad= 0
padlen= 0
nh= TCP
authentication= 0
###[ TCP ]###
sport= ftp-data
dport= http
seq= 0
ack= 0
dataofs= 0
reserved= 0
flags= S
window= 8192
chksum= 0x0
urgptr= 0
options= {}

In this case we have no SAD for the packet then we cannot decrypt it.
Thus we have to print it using show(). If we use show2(), the decryption will be tried and will certainly be uncorrect.

7 - WHAT'S MORE

All the previous examples were using transport mode and you have certainly noticed that there is no such indication in the SAD. In fact you have to do it by yourself ;-) :

q = IP(dst="192.168.0.6")/IPsec(crypt='AES-CTR', crypt_key='00001234abc11', auth='HMAC-MD5-96', auth_key='5632abc1azefvc')/ESP(spi=5)/IP(dst="10.0.0.1")/TCP()

>>> q.show()
###[ IP ]###
version= 4
ihl= 0
tos= 0x0
len= 0
id= 1
flags=
frag= 0
ttl= 64
proto= IPv6-Crypt
chksum= 0x0
src= 192.168.0.2
dst= 192.168.0.6
options= ''
###[ IPsec ]###
crypt= 'AES-CTR'
crypt_key= '00001234abc11'
auth= 'HMAC-MD5-96'
auth_key= '5632abc1azefvc'
###[ ESP ]###
spi= 0x5
seq= 0
data= 0
iv= 0
pad= 0
padlen= 0
nh= IP-ENCAP
authentication= 0
###[ IP ]###
version= 4
ihl= 0
tos= 0x0
len= 0
id= 1
flags=
frag= 0
ttl= 64
proto= TCP
chksum= 0x0
src= 192.168.0.2
dst= 10.0.0.1
###[ TCP ]###
sport= ftp-data
dport= http
seq= 0
ack= 0
dataofs= 0
reserved= 0
flags= S
window= 8192
chksum= 0x0
urgptr= 0
options= {}

And using the same principles you may have a lot of different IPv4, IPv6, ESP encapsulations with some different algorithms.

Some checks may be done using Wireshark (www.wireshark.org). Have a look to the Wireshark wiki for more information.

The algorithms handled with Wireshark are the following:

Encryption Algorithms :
- NULL
- TripleDES-CBC [RFC2451] : keylen 192 bits.
- AES-CBC with 128-bit keys [RFC3602] : keylen 128 and 192/256 bits.
- AES-CTR [RFC3686] : keylen 160/224/288 bits. The remaining 32 bits will be used as nonce.
- DES-CBC [RFC2405] : keylen 64 bits
- BLOWFISH-CBC : keylen 128 bits.
- TWOFISH-CBC : keylen 128/256 bits.
- CAST5-CBC : keylen 128 bits.

Authentication Algorithms:
- NULL
- HMAC-SHA1-96 [RFC2404] : any keylen
- HMAC-MD5-96 [RFC2403] : any keylen
- HMAC-SHA256-96 : any keylen
- HMAC-RIPEMD160-96 [RFC2857] : any keylen

8 - UPDATE

9 - POSSIBLE EXTENSIONS

For sure, you may use some others ESP Encryption algorithms. I only have done the work for Algorithms specified in RFC4305. Nevertheless, it should not be very difficult to add some other ones.Have a look to the code ;-(

Moreover, you may also add some other Authentication Algorithms. AES-XCBC-MAC-96 has not been added because i had trouble to get a working implementation.

For the moment it works only for ESP but why not adding AH. On this basis it could be possible to have a better look to IKE.

An interesting point with this tool is that if your kernel does not handle IPsec or a particular algorithm it could be quite easy as Wifitap (http://sid.rstack.org/index.php/Wifitap) does to have an interface to generate such encrypted packets.

10 - CREDITS AND LICENCE

This tool is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

11 - BUGS

If you find any bug you may send me reports with associated keys and algorithms at:
frederic.roudaut@free.fr

ANNEX A - IPSEC ALGORITHMS AND KEYS

Currently IPsec is mainly described by the three followings RFCs:

RFC4301, Security Architecture for the Internet Protocol, S. Kent, K. Seo, December 2005, PROPOSED STANDARD.
RFC4302, IP Authentication Header, S. Kent, December 2005, PROPOSED STANDARD.
RFC4303, IP Encapsulating Security Payload (ESP), S. Kent, December2005, PROPOSED STANDARD.

The Algorithms to use and their requirements are described in RFC4305: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH),D. Eastlake 3rd, December 2005, PROPOSED STANDARD.

You also may use some others Cryptographic Algorithm (have a look at the IANA for some other examples).

A.1 - ESP ALGORITHMS (RFC 4305)

The ESP Format is the following:

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ----
  |               Security Parameters Index (SPI)                 | ^Auth.
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
  |                      Sequence Number                          | |erage
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ----
  |                    Payload Data* (variable)                   | |   ^
  ~                                                               ~ |   |
  |                                                               | |Conf.
  +               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Cov-
  |               |     Padding (0-255 bytes)                     | |erage*
  +-+-+-+-+-+-+-+-+               +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |   |
  |                               |  Pad Length   | Next Header   | v   v
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ ------
  |                 Authentication Data (variable)                |  ~                                                               ~  |                                                               |  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

A.1.1 - REQUIREMENTS

The followings tables (RFC 4305) list Encryption and Authentication algorithms for the IPsec Encapsulating Security Payload protocol.

Requirement Encryption Algorithm (notes)

MUST NULL (1)
MUST- TripleDES-CBC [RFC2451]
SHOULD+ AES-CBC with 128-bit keys [RFC3602]
SHOULD AES-CTR [RFC3686]
SHOULD NOT DES-CBC [RFC2405] (3)

Requirement Authentication Algorithm (notes)

MUST HMAC-SHA1-96 [RFC2404]
MUST NULL (1)
SHOULD+ AES-XCBC-MAC-96 [RFC3566]
MAY HMAC-MD5-96 [RFC2403] (2)

Notes:
(1) Since ESP Encryption and Authentication are optional, support for the two "NULL" algorithms is required to maintain consistency with the way these services are negotiated. Note that while Authentication and Encryption can each be "NULL", they MUST NOT both be "NULL".
(2) Weaknesses have become apparent in MD5; however, these should not affect the use of MD5 with HMAC.
(3) DES, with its small key size and publicly demonstrated and open-design special-purpose cracking hardware, is of questionable security for general use.

This tool takes into account all these Encryption Algorithms defined in RFC 4305.
I also have adapted the tool for :

BLOWFISH-CBC [RFC2451] with any key length.
CAST5-CBC with keylen 40, 48, 56, ..., 120, and 128 bits.

This tool is also able to generate authentication for all these previous Authentication algorithm. To have AES-XCBC-MAC-96 working you should get my implementation of this algorithm.
I also have adapted the tool to handle the following Authentication Mechanism :

HMAC-SHA256-96 with any key size.
HMAC-RIPEMD160-96 [RFC2857] with any key size.

A.1.2 - TripleDES-CBC (RFC2451)

According to RFC 2451, 3DES CBC uses a key of 192 bits. The first 3DES key is taken from the first 64 bits, the second from the next 64 bits, and the third from the last 64 bits. Each of the three keys is really 56 bits in length with the extra 8 bits used for parity. 3DES CBC uses an IV of 8 octets and a Block size of 8 octets.

A.1.3 - AES-CBC (RFC3602)

According to RFC 3602, AES supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and all implementations MUST support this key size. Implementations MAY also support key sizes of 192 bits and 256 bits. AES-CBC uses an IV of 16 octets and a Block size of 16 octets

A.1.4 - AES-CTR (RFC3686)

According to RFC 3686, AES supports three key sizes: 128 bits, 192 bits, and 256 bits. The default key size is 128 bits, and all implementations MUST support this key size. Implementations MAY also support key sizes of 192 bits and 256 bits. AES-CTR uses an IV of 8 octets and a Block size of 16 octets

A.1.5 - DES-CBC (RFC2405)

According to RFC 2405, DES-CBC is a symmetric secret key algorithm. The key size is 64-bits. It is commonly known as a 56-bit key as the key has 56 significant bits; the least significant bit in every byte is the parity bit. DES-CBC uses an IV of 8 octets and a Block size of 8 octets.

A.1.6 - BLOWFISH-CBC (RFC2451)

Bruce Schneier of Counterpane Systems developed the Blowfish cipher algorithm. RFC 2451 shows that Blowfish uses key sizes from 40 to 448 bits. The Default size is 128 bits. BLOWFISH-CBC uses an IV of 8 octets and a Block size of 8 octets.

A.1.7 - CAST-CBC (draft-ietf-ipsec-esp-cast-128-cbc-00.txt)

The CAST-128 encryption algorithm has been designed to allow a key size which can vary from 40 bits to 128 bits, in 8-bit increments (that is, the allowable key sizes are 40, 48, 56, 64, ..., 112, 120, and 128 bits. To facilitate interoperability, it is recommended that key sizes SHOULD be chosen from the set of 40, 64, 80 and 128.

For key sizes less than 128 bits, the key is padded with zero (in the rightmost, or least significant, positions) out to 128 bits. CAST-CBC uses an IV of 8 octets and a block size of 8 octets.

A.1.8 - HMAC-MD5-96 (RFC2403)

HMAC with MD5 provides data origin Authentication and integrity protection. HMAC-MD5-96 produces a 128-bit authenticator value. For use with either ESP or AH, a truncated value using the first 96 bits MUST be supported. Our implementation will support any key length.

A.1.9 - HMAC-SHA1-96 (RFC2404)

SHA-1 combined with HMAC [RFC2104] provides a keyed Authentication mechanism. HMAC-SHA-1-96 produces a 160-bit authenticator value. For use with either ESP or AH, a truncated value using the first 96 bits MUST be supported. Our implementation will support any key length.

A.1.10 - HMAC-SHA256-96 (draft-ietf-ipsec-ciph-sha-256-01.txt)

This is the SHA-256 algorithm which yields a message digest of 32 bytes. For use with either ESP or AH, a truncated value using the first 96 bits MUST be supported. Our implementation will support any key length.

A.1.11 - HMAC-RIPEMD160-96 (RFC2857)

It is used as an authentication mechanism. It involves the use of the HMAC algorithm [RFC 2104] in conjunction with the RIPEMD-160 algorithm. It yields a message digest of 20 bytes. For use with either ESP or AH, a truncated value using the first 96 bits MUST be supported. For use with either ESP or AH a fixed key length of 160-bits MUST be supported. Our implementation will support any key length.

A.1.12 - AES-XCBC-MAC-96 (RFC3566)

AES-XCBC-MAC-96 is used as an authentication mechanism. It involves the use of AES in CBC mode with a set of extensions (XCBC) to overcome this limitation. It yields a message digest of 16 bytes. For use with either ESP or AH, a truncated value using the first 96 bits MUST be supported. The key length should be the cipher Block size, ie 16 bytes for AES-XCBC-MAC.