Encryption -- Blowfish limited to 8 byte passowrds?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hal Vaughan wrote:

I have no background in encryption, so I'm working with samples I've
found
in various places and patching them together. I know Blowfish can
use a 56
byte key. The version of this program in Perl has no problem with a
56 byte key, but this Java version has problems if I use a key that
is any
length other than 8 bytes. Is there something I can do to enable 56
byte
keys and vectors? Here's what I'm doing:

//byte[] bRawData is already set
String sCryptoKey = "MyOwnKey";
String sCryptoVector = "MyOwnVec";
byte[] bDecrypted;

try {
SecretKeySpec oKey = new
SecretKeySpec(sCryptoKey.getBytes("UTF8"),
"Blowfish");
IvParameterSpec oIV = new
IvParameterSpec(sCryptoVector.getBytes("UTF8")); Cipher
oCipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
oCipher.init(Cipher.DECRYPT_MODE, oKey, oIV );
//I also have a ENCRYPT_MODE mirror of this routine.
bDecrypted = oCipher.doFinal(bRawData);
} catch (Exception e) {}

Is there a setting I'm missing? Why won't Java allow other length
keys and vectors?

Thanks!

Hal

Hello,
I'm pretty sure this is because you are trying to use the password
itself as underlying key material, and the Blowfish implementation
you're working with (or perhaps the entire algorithm, I'm not
particularly familiar with it) actually operates on 64-bit keys (=8
bytes). See, when you use a SecretKeySpec, that's actually operating
on the underlying key material. When you use a password, the password
itself is not typically used directly. Instead, it passes through
some kind of hash function. This is probably what is happening,
without you knowing it, in Perl. In Java, you have to explicitly
indicate that you want this to happen. The normal way to do this is
to use the javax.crypto.spec.PBEKeySpec class to transform your
password into a key, rather than using SecretKeySpec. This is the
"proper" way to do password-based encryption. This could be slightly
misleading, since irrelevant of the length of the password, the
algorithm itself is only acting on an 8-byte key. Longer passwords
are hashed down to size, so it's possible that there could be more
than one password that successfully decrypts the data. Assuming the
hash function is secure, it is "computationally infeasible" to figure
out what those other passwords are, but they probably exist. This is
always the case when using a password with an algorithm that has a
fixed key size (i.e. almost all of them).

- --
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/mbBDwxczzJRavJYRAuieAJ4t/IvawT18b6Q/dqblg+gveyewpACeKZiS
hIOQIsym9rIfjmlakT3zIZk=
=EsJ4
-----END PGP SIGNATURE-----

Chris wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hal Vaughan wrote:

I have no background in encryption, so I'm working with samples I've
found
in various places and patching them together. I know Blowfish can
use a 56
byte key. The version of this program in Perl has no problem with a
56 byte key, but this Java version has problems if I use a key that
is any
length other than 8 bytes. Is there something I can do to enable 56
byte
keys and vectors? Here's what I'm doing:

//byte[] bRawData is already set
String sCryptoKey = "MyOwnKey";
String sCryptoVector = "MyOwnVec";
byte[] bDecrypted;

try {
SecretKeySpec oKey = new
SecretKeySpec(sCryptoKey.getBytes("UTF8"),
"Blowfish");
IvParameterSpec oIV = new
IvParameterSpec(sCryptoVector.getBytes("UTF8")); Cipher
oCipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
oCipher.init(Cipher.DECRYPT_MODE, oKey, oIV );
//I also have a ENCRYPT_MODE mirror of this routine.
bDecrypted = oCipher.doFinal(bRawData);
} catch (Exception e) {}

Is there a setting I'm missing? Why won't Java allow other length
keys and vectors?

Thanks!

Hal

Hello,
I'm pretty sure this is because you are trying to use the password
itself as underlying key material, and the Blowfish implementation
you're working with (or perhaps the entire algorithm, I'm not
particularly familiar with it) actually operates on 64-bit keys (=8
bytes). See, when you use a SecretKeySpec, that's actually operating
on the underlying key material. When you use a password, the password
itself is not typically used directly. Instead, it passes through
some kind of hash function. This is probably what is happening,
without you knowing it, in Perl. In Java, you have to explicitly
indicate that you want this to happen. The normal way to do this is
to use the javax.crypto.spec.PBEKeySpec class to transform your
password into a key, rather than using SecretKeySpec. This is the
"proper" way to do password-based encryption. This could be slightly
misleading, since irrelevant of the length of the password, the
algorithm itself is only acting on an 8-byte key. Longer passwords
are hashed down to size, so it's possible that there could be more
than one password that successfully decrypts the data. Assuming the
hash function is secure, it is "computationally infeasible" to figure
out what those other passwords are, but they probably exist. This is
always the case when using a password with an algorithm that has a
fixed key size (i.e. almost all of them).

- --
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/mbBDwxczzJRavJYRAuieAJ4t/IvawT18b6Q/dqblg+gveyewpACeKZiS
hIOQIsym9rIfjmlakT3zIZk=
=EsJ4
-----END PGP SIGNATURE-----

Wow! Thanks for some very good info!

Hal