Re: Encryption -- Blowfish limited to 8 byte passowrds?
From: Hal Vaughan (hal_at_thresholddigital.com)
Date: 10/26/03
- Previous message: Phil...: "Re: Whoever loves C++ and java programming, come here"
- In reply to: Chris: "Re: Encryption -- Blowfish limited to 8 byte passowrds?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 26 Oct 2003 00:48:05 GMT
Chris wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hal Vaughan wrote:
>
>> I have no background in encryption, so I'm working with samples I've
>> found
>> in various places and patching them together. I know Blowfish can
>> use a 56
>> byte key. The version of this program in Perl has no problem with a
>> 56 byte key, but this Java version has problems if I use a key that
>> is any
>> length other than 8 bytes. Is there something I can do to enable 56
>> byte
>> keys and vectors? Here's what I'm doing:
>>
>> //byte[] bRawData is already set
>> String sCryptoKey = "MyOwnKey";
>> String sCryptoVector = "MyOwnVec";
>> byte[] bDecrypted;
>>
>> try {
>> SecretKeySpec oKey = new
>> SecretKeySpec(sCryptoKey.getBytes("UTF8"),
>> "Blowfish");
>> IvParameterSpec oIV = new
>> IvParameterSpec(sCryptoVector.getBytes("UTF8")); Cipher
>> oCipher = Cipher.getInstance("Blowfish/CBC/PKCS5Padding");
>> oCipher.init(Cipher.DECRYPT_MODE, oKey, oIV );
>> //I also have a ENCRYPT_MODE mirror of this routine.
>> bDecrypted = oCipher.doFinal(bRawData);
>> } catch (Exception e) {}
>>
>> Is there a setting I'm missing? Why won't Java allow other length
>> keys and vectors?
>>
>> Thanks!
>>
>> Hal
>
> Hello,
> I'm pretty sure this is because you are trying to use the password
> itself as underlying key material, and the Blowfish implementation
> you're working with (or perhaps the entire algorithm, I'm not
> particularly familiar with it) actually operates on 64-bit keys (=8
> bytes). See, when you use a SecretKeySpec, that's actually operating
> on the underlying key material. When you use a password, the password
> itself is not typically used directly. Instead, it passes through
> some kind of hash function. This is probably what is happening,
> without you knowing it, in Perl. In Java, you have to explicitly
> indicate that you want this to happen. The normal way to do this is
> to use the javax.crypto.spec.PBEKeySpec class to transform your
> password into a key, rather than using SecretKeySpec. This is the
> "proper" way to do password-based encryption. This could be slightly
> misleading, since irrelevant of the length of the password, the
> algorithm itself is only acting on an 8-byte key. Longer passwords
> are hashed down to size, so it's possible that there could be more
> than one password that successfully decrypts the data. Assuming the
> hash function is secure, it is "computationally infeasible" to figure
> out what those other passwords are, but they probably exist. This is
> always the case when using a password with an algorithm that has a
> fixed key size (i.e. almost all of them).
>
> - --
> Chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
>
> iD8DBQE/mbBDwxczzJRavJYRAuieAJ4t/IvawT18b6Q/dqblg+gveyewpACeKZiS
> hIOQIsym9rIfjmlakT3zIZk=
> =EsJ4
> -----END PGP SIGNATURE-----
Wow! Thanks for some very good info!
Hal
- Previous message: Phil...: "Re: Whoever loves C++ and java programming, come here"
- In reply to: Chris: "Re: Encryption -- Blowfish limited to 8 byte passowrds?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
