Re: Encryption -- Blowfish limited to 8 byte passowrds?
From: Chris (chris2k01_at_hotmail.com)
Date: 10/25/03
- Next message: Chris: "Re: handling focusLost Events"
- Previous message: Glen Herrmannsfeldt: "Re: ICMP packets"
- In reply to: Hal Vaughan: "Encryption -- Blowfish limited to 8 byte passowrds?"
- Next in thread: Hal Vaughan: "Re: Encryption -- Blowfish limited to 8 byte passowrds?"
- Reply: Hal Vaughan: "Re: Encryption -- Blowfish limited to 8 byte passowrds?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sat, 25 Oct 2003 06:05:35 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hal Vaughan wrote:
> I have no background in encryption, so I'm working with samples I've
> found
> in various places and patching them together. I know Blowfish can
> use a 56
> byte key. The version of this program in Perl has no problem with a
> 56 byte key, but this Java version has problems if I use a key that
> is any
> length other than 8 bytes. Is there something I can do to enable 56
> byte
> keys and vectors? Here's what I'm doing:
>
> //byte[] bRawData is already set
> String sCryptoKey = "MyOwnKey";
> String sCryptoVector = "MyOwnVec";
> byte[] bDecrypted;
>
> try {
> SecretKeySpec oKey = new
> SecretKeySpec(sCryptoKey.getBytes("UTF8"),
> "Blowfish");
> IvParameterSpec oIV = new
> IvParameterSpec(sCryptoVector.getBytes("UTF8")); Cipher
> oCipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
> oCipher.init(Cipher.DECRYPT_MODE, oKey, oIV );
> //I also have a ENCRYPT_MODE mirror of this routine.
> bDecrypted = oCipher.doFinal(bRawData);
> } catch (Exception e) {}
>
> Is there a setting I'm missing? Why won't Java allow other length
> keys and vectors?
>
> Thanks!
>
> Hal
Hello,
I'm pretty sure this is because you are trying to use the password
itself as underlying key material, and the Blowfish implementation
you're working with (or perhaps the entire algorithm, I'm not
particularly familiar with it) actually operates on 64-bit keys (=8
bytes). See, when you use a SecretKeySpec, that's actually operating
on the underlying key material. When you use a password, the password
itself is not typically used directly. Instead, it passes through
some kind of hash function. This is probably what is happening,
without you knowing it, in Perl. In Java, you have to explicitly
indicate that you want this to happen. The normal way to do this is
to use the javax.crypto.spec.PBEKeySpec class to transform your
password into a key, rather than using SecretKeySpec. This is the
"proper" way to do password-based encryption. This could be slightly
misleading, since irrelevant of the length of the password, the
algorithm itself is only acting on an 8-byte key. Longer passwords
are hashed down to size, so it's possible that there could be more
than one password that successfully decrypts the data. Assuming the
hash function is secure, it is "computationally infeasible" to figure
out what those other passwords are, but they probably exist. This is
always the case when using a password with an algorithm that has a
fixed key size (i.e. almost all of them).
- --
Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/mbBDwxczzJRavJYRAuieAJ4t/IvawT18b6Q/dqblg+gveyewpACeKZiS
hIOQIsym9rIfjmlakT3zIZk=
=EsJ4
-----END PGP SIGNATURE-----
- Next message: Chris: "Re: handling focusLost Events"
- Previous message: Glen Herrmannsfeldt: "Re: ICMP packets"
- In reply to: Hal Vaughan: "Encryption -- Blowfish limited to 8 byte passowrds?"
- Next in thread: Hal Vaughan: "Re: Encryption -- Blowfish limited to 8 byte passowrds?"
- Reply: Hal Vaughan: "Re: Encryption -- Blowfish limited to 8 byte passowrds?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
