By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,538 Members | 1,130 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,538 IT Pros & Developers. It's quick & easy.

Encryption -- Blowfish limited to 8 byte passowrds?

P: n/a
I have no background in encryption, so I'm working with samples I've found
in various places and patching them together. I know Blowfish can use a 56
byte key. The version of this program in Perl has no problem with a 56
byte key, but this Java version has problems if I use a key that is any
length other than 8 bytes. Is there something I can do to enable 56 byte
keys and vectors? Here's what I'm doing:

//byte[] bRawData is already set
String sCryptoKey = "MyOwnKey";
String sCryptoVector = "MyOwnVec";
byte[] bDecrypted;

try {
SecretKeySpec oKey = new SecretKeySpec(sCryptoKey.getBytes("UTF8"),
"Blowfish");
IvParameterSpec oIV = new IvParameterSpec(sCryptoVector.getBytes("UTF8"));
Cipher oCipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
oCipher.init(Cipher.DECRYPT_MODE, oKey, oIV );
//I also have a ENCRYPT_MODE mirror of this routine.
bDecrypted = oCipher.doFinal(bRawData);
} catch (Exception e) {}

Is there a setting I'm missing? Why won't Java allow other length keys and
vectors?

Thanks!

Hal
Jul 17 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hal Vaughan wrote:
I have no background in encryption, so I'm working with samples I've
found
in various places and patching them together. I know Blowfish can
use a 56
byte key. The version of this program in Perl has no problem with a
56 byte key, but this Java version has problems if I use a key that
is any
length other than 8 bytes. Is there something I can do to enable 56
byte
keys and vectors? Here's what I'm doing:

//byte[] bRawData is already set
String sCryptoKey = "MyOwnKey";
String sCryptoVector = "MyOwnVec";
byte[] bDecrypted;

try {
SecretKeySpec oKey = new
SecretKeySpec(sCryptoKey.getBytes("UTF8"),
"Blowfish");
IvParameterSpec oIV = new
IvParameterSpec(sCryptoVector.getBytes("UTF8")); Cipher
oCipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
oCipher.init(Cipher.DECRYPT_MODE, oKey, oIV );
//I also have a ENCRYPT_MODE mirror of this routine.
bDecrypted = oCipher.doFinal(bRawData);
} catch (Exception e) {}

Is there a setting I'm missing? Why won't Java allow other length
keys and vectors?

Thanks!

Hal


Hello,
I'm pretty sure this is because you are trying to use the password
itself as underlying key material, and the Blowfish implementation
you're working with (or perhaps the entire algorithm, I'm not
particularly familiar with it) actually operates on 64-bit keys (=8
bytes). See, when you use a SecretKeySpec, that's actually operating
on the underlying key material. When you use a password, the password
itself is not typically used directly. Instead, it passes through
some kind of hash function. This is probably what is happening,
without you knowing it, in Perl. In Java, you have to explicitly
indicate that you want this to happen. The normal way to do this is
to use the javax.crypto.spec.PBEKeySpec class to transform your
password into a key, rather than using SecretKeySpec. This is the
"proper" way to do password-based encryption. This could be slightly
misleading, since irrelevant of the length of the password, the
algorithm itself is only acting on an 8-byte key. Longer passwords
are hashed down to size, so it's possible that there could be more
than one password that successfully decrypts the data. Assuming the
hash function is secure, it is "computationally infeasible" to figure
out what those other passwords are, but they probably exist. This is
always the case when using a password with an algorithm that has a
fixed key size (i.e. almost all of them).

- --
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/mbBDwxczzJRavJYRAuieAJ4t/IvawT18b6Q/dqblg+gveyewpACeKZiS
hIOQIsym9rIfjmlakT3zIZk=
=EsJ4
-----END PGP SIGNATURE-----
Jul 17 '05 #2

P: n/a
Chris wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hal Vaughan wrote:
I have no background in encryption, so I'm working with samples I've
found
in various places and patching them together. I know Blowfish can
use a 56
byte key. The version of this program in Perl has no problem with a
56 byte key, but this Java version has problems if I use a key that
is any
length other than 8 bytes. Is there something I can do to enable 56
byte
keys and vectors? Here's what I'm doing:

//byte[] bRawData is already set
String sCryptoKey = "MyOwnKey";
String sCryptoVector = "MyOwnVec";
byte[] bDecrypted;

try {
SecretKeySpec oKey = new
SecretKeySpec(sCryptoKey.getBytes("UTF8"),
"Blowfish");
IvParameterSpec oIV = new
IvParameterSpec(sCryptoVector.getBytes("UTF8")); Cipher
oCipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
oCipher.init(Cipher.DECRYPT_MODE, oKey, oIV );
//I also have a ENCRYPT_MODE mirror of this routine.
bDecrypted = oCipher.doFinal(bRawData);
} catch (Exception e) {}

Is there a setting I'm missing? Why won't Java allow other length
keys and vectors?

Thanks!

Hal


Hello,
I'm pretty sure this is because you are trying to use the password
itself as underlying key material, and the Blowfish implementation
you're working with (or perhaps the entire algorithm, I'm not
particularly familiar with it) actually operates on 64-bit keys (=8
bytes). See, when you use a SecretKeySpec, that's actually operating
on the underlying key material. When you use a password, the password
itself is not typically used directly. Instead, it passes through
some kind of hash function. This is probably what is happening,
without you knowing it, in Perl. In Java, you have to explicitly
indicate that you want this to happen. The normal way to do this is
to use the javax.crypto.spec.PBEKeySpec class to transform your
password into a key, rather than using SecretKeySpec. This is the
"proper" way to do password-based encryption. This could be slightly
misleading, since irrelevant of the length of the password, the
algorithm itself is only acting on an 8-byte key. Longer passwords
are hashed down to size, so it's possible that there could be more
than one password that successfully decrypts the data. Assuming the
hash function is secure, it is "computationally infeasible" to figure
out what those other passwords are, but they probably exist. This is
always the case when using a password with an algorithm that has a
fixed key size (i.e. almost all of them).

- --
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/mbBDwxczzJRavJYRAuieAJ4t/IvawT18b6Q/dqblg+gveyewpACeKZiS
hIOQIsym9rIfjmlakT3zIZk=
=EsJ4
-----END PGP SIGNATURE-----


Wow! Thanks for some very good info!

Hal
Jul 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.