Encryption between Python & PHP

On Sun, 8 Aug 2004 14:00:32 +0100,
Geoff Caplan <ge***@variosoft.com> wrote:

I have little crypto knowledge, and at first I though that something
like blowfish was a standard and different libraries should be
compatible. Now I suspect that internal implementation varies between
libraries and you have to encrypt/decrypt with the same library. Can
anyone enlighten me?

I can't help much with your other questions, but I do know about this
one. By definition, blowfish is blowfish is blowfish. Any (properly
implemented) blowfish library will be compatible with another; if you
encode something with one library, you will be able to decode it with
the other. It is up to you to use the same key and to make sense of the
information once you decrypt it.

That said, yes, it is possible that the internal implementation details
may vary slightly between libraries, but not in ways that the user will
notice. Think of this like calculators: although calculators use
different hardware and different display devices, they all (should) give
the same answer to the same multiplication problem (keeping the
multiplications in question simple enough so as not to cause some sort
of underflow or overflow error or loss of precision; thankfully,
blowfish implementations do not suffer even this limitation).

HTH,
Dan

--
Dan Sommers
<http://www.tombstonezero.net/dan/>
Never play leapfrog with a unicorn.

Dan,

DS> I can't help much with your other questions, but I do know about this
DS> one. By definition, blowfish is blowfish is blowfish. Any (properly
DS> implemented) blowfish library will be compatible with another; if you
DS> encode something with one library, you will be able to decode it with
DS> the other.

Thanks for that. Looks like I should persist and track down the
problem. Perhaps something to do with the keys? When I try to
decrypt I am getting binary garbage out instead of an ascii string.

Any pointers about where to start looking would be welcome!
------------------
Geoff Caplan
Vario Software Ltd
(+44) 121-515 1154

On Sun, 8 Aug 2004 16:37:33 +0100,
Geoff Caplan <ge***@variosoft.com> wrote:

Dan,
Not just me, thank goodness. The entire Python community. ;-)

DS> I can't help much with your other questions, but I do know about this
DS> one. By definition, blowfish is blowfish is blowfish. Any (properly
DS> implemented) blowfish library will be compatible with another; if you
DS> encode something with one library, you will be able to decode it with
DS> the other.
Thanks for that. Looks like I should persist and track down the
problem. Perhaps something to do with the keys? When I try to
decrypt I am getting binary garbage out instead of an ascii string. Any pointers about where to start looking would be welcome!

I guess the usual pointers apply: Create the absolute smallest program
that fails. Ask the vendors/authors of the library and/or programming
language you're using. Post/Email the code, the input, the actual
output, what you expected to be the output, and why you expected that
output.

I'm pretty sure that counterpane (blowfish' creator, IIRC) has test
vectors, too. If you can encrypt *or* decrypt them, but not both, that
points at one part of your application or another as well.

Regards,
Dan

--
Dan Sommers
<http://www.tombstonezero.net/dan/>
Never play leapfrog with a unicorn.

Geoff Caplan wrote:

Looks like I should persist and track down the
problem. Perhaps something to do with the keys? When I try to
decrypt I am getting binary garbage out instead of an ascii string.

Any pointers about where to start looking would be welcome!

First check the obvious: do you have exactly the same
key/IV/ciphertext.

If that's not it, the most popular bug in Blowfish
implementations is an endian dependency. It causes
implementations to be self-consistent, but ciphertext is not
portable between big-endian and little-endian machines. Bruce
Schneier's original implementation had the bug, and many others
followed.
--
--Bryan