You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
149 lines
6.3 KiB
149 lines
6.3 KiB
The Blowfish library. |
|
|
|
Blowfish is a block cipher that operates on 64bit (8 byte) quantities. It |
|
uses variable size key, but 128bit (16 byte) key would normally be considered |
|
good. It can be used in all the modes that DES can be used. This |
|
library implements the ecb, cbc, cfb64, ofb64 modes. |
|
|
|
Blowfish is quite a bit faster that DES, and much faster than IDEA or |
|
RC2. It is one of the faster block ciphers. |
|
|
|
For all calls that have an 'input' and 'output' variables, they can be the |
|
same. |
|
|
|
This library requires the inclusion of 'blowfish.h'. |
|
|
|
All of the encryption functions take what is called an BF_KEY as an |
|
argument. An BF_KEY is an expanded form of the Blowfish key. |
|
For all modes of the Blowfish algorithm, the BF_KEY used for |
|
decryption is the same one that was used for encryption. |
|
|
|
The define BF_ENCRYPT is passed to specify encryption for the functions |
|
that require an encryption/decryption flag. BF_DECRYPT is passed to |
|
specify decryption. |
|
|
|
Please note that any of the encryption modes specified in my DES library |
|
could be used with Blowfish. I have only implemented ecb, cbc, cfb64 and |
|
ofb64 for the following reasons. |
|
- ecb is the basic Blowfish encryption. |
|
- cbc is the normal 'chaining' form for block ciphers. |
|
- cfb64 can be used to encrypt single characters, therefore input and output |
|
do not need to be a multiple of 8. |
|
- ofb64 is similar to cfb64 but is more like a stream cipher, not as |
|
secure (not cipher feedback) but it does not have an encrypt/decrypt mode. |
|
- If you want triple Blowfish, thats 384 bits of key and you must be totally |
|
obsessed with security. Still, if you want it, it is simple enough to |
|
copy the function from the DES library and change the des_encrypt to |
|
BF_encrypt; an exercise left for the paranoid reader :-). |
|
|
|
The functions are as follows: |
|
|
|
void BF_set_key( |
|
BF_KEY *ks; |
|
int len; |
|
unsigned char *key; |
|
BF_set_key converts an 'len' byte key into a BF_KEY. |
|
A 'ks' is an expanded form of the 'key' which is used to |
|
perform actual encryption. It can be regenerated from the Blowfish key |
|
so it only needs to be kept when encryption or decryption is about |
|
to occur. Don't save or pass around BF_KEY's since they |
|
are CPU architecture dependent, 'key's are not. Blowfish is an |
|
interesting cipher in that it can be used with a variable length |
|
key. 'len' is the length of 'key' to be used as the key. |
|
A 'len' of 16 is recomended by me, but blowfish can use upto |
|
72 bytes. As a warning, blowfish has a very very slow set_key |
|
function, it actually runs BF_encrypt 521 times. |
|
|
|
void BF_encrypt( |
|
unsigned long *data, |
|
BF_KEY *key, |
|
int encrypt); |
|
This is the Blowfish encryption function that gets called by just about |
|
every other Blowfish routine in the library. You should not use this |
|
function except to implement 'modes' of Blowfish. |
|
I say this because the |
|
functions that call this routine do the conversion from 'char *' to |
|
long, and this needs to be done to make sure 'non-aligned' memory |
|
access do not occur. |
|
Data is a pointer to 2 unsigned long's and key is the |
|
BF_KEY to use. Encryption or decryption is indicated by 'encrypt'. |
|
which can have the values BF_ENCRYPT or BF_DECRYPT. |
|
|
|
void BF_ecb_encrypt( |
|
unsigned char *in, |
|
unsigned char *out, |
|
BF_KEY *key, |
|
int encrypt); |
|
This is the basic Electronic Code Book form of Blowfish (in DES this |
|
mode is called Electronic Code Book so I'm going to use the term |
|
for blowfish as well. |
|
Input is encrypted into output using the key represented by |
|
key. Depending on the encrypt, encryption or |
|
decryption occurs. Input is 8 bytes long and output is 8 bytes. |
|
|
|
void BF_cbc_encrypt( |
|
unsigned char *in, |
|
unsigned char *out, |
|
long length, |
|
BF_KEY *ks, |
|
unsigned char *ivec, |
|
int encrypt); |
|
This routine implements Blowfish in Cipher Block Chaining mode. |
|
Input, which should be a multiple of 8 bytes is encrypted |
|
(or decrypted) to output which will also be a multiple of 8 bytes. |
|
The number of bytes is in length (and from what I've said above, |
|
should be a multiple of 8). If length is not a multiple of 8, bad |
|
things will probably happen. ivec is the initialisation vector. |
|
This function updates iv after each call so that it can be passed to |
|
the next call to BF_cbc_encrypt(). |
|
|
|
void BF_cfb64_encrypt( |
|
unsigned char *in, |
|
unsigned char *out, |
|
long length, |
|
BF_KEY *schedule, |
|
unsigned char *ivec, |
|
int *num, |
|
int encrypt); |
|
This is one of the more useful functions in this Blowfish library, it |
|
implements CFB mode of Blowfish with 64bit feedback. |
|
This allows you to encrypt an arbitrary number of bytes, |
|
you do not require 8 byte padding. Each call to this |
|
routine will encrypt the input bytes to output and then update ivec |
|
and num. Num contains 'how far' we are though ivec. |
|
'Encrypt' is used to indicate encryption or decryption. |
|
CFB64 mode operates by using the cipher to generate a stream |
|
of bytes which is used to encrypt the plain text. |
|
The cipher text is then encrypted to generate the next 64 bits to |
|
be xored (incrementally) with the next 64 bits of plain |
|
text. As can be seen from this, to encrypt or decrypt, |
|
the same 'cipher stream' needs to be generated but the way the next |
|
block of data is gathered for encryption is different for |
|
encryption and decryption. |
|
|
|
void BF_ofb64_encrypt( |
|
unsigned char *in, |
|
unsigned char *out, |
|
long length, |
|
BF_KEY *schedule, |
|
unsigned char *ivec, |
|
int *num); |
|
This functions implements OFB mode of Blowfish with 64bit feedback. |
|
This allows you to encrypt an arbitrary number of bytes, |
|
you do not require 8 byte padding. Each call to this |
|
routine will encrypt the input bytes to output and then update ivec |
|
and num. Num contains 'how far' we are though ivec. |
|
This is in effect a stream cipher, there is no encryption or |
|
decryption mode. |
|
|
|
For reading passwords, I suggest using des_read_pw_string() from my DES library. |
|
To generate a password from a text string, I suggest using MD5 (or MD2) to |
|
produce a 16 byte message digest that can then be passed directly to |
|
BF_set_key(). |
|
|
|
===== |
|
For more information about the specific Blowfish modes in this library |
|
(ecb, cbc, cfb and ofb), read the section entitled 'Modes of DES' from the |
|
documentation on my DES library. What is said about DES is directly |
|
applicable for Blowfish. |
|
|
|
|