Blowfish compatibility with other blowfish implementations


#1

I need to encrypt some text in an AWS Lambda instance in part of a web response, and then decrypt it in JUCE. Has anyone done this before? I figured BlowFish would be a good way to go. I’m using the crypto module, but there are a few different blowfish implementations available: bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb.

The OpenSSL documentation has a bit more info on these:

As you can see from the "enc" help text, OpenSSL supports 4 cipher variations of Blowfish algorithm with 6 aliases:

"bf" - Alias for "bf-cbc"
"blowfish" - Alias for "bf-cbc"
"bf-cbc" - Blowfish in CBC mode
"bf-cfb" - Blowfish in CFB mode
"bf-ecb" - Blowfish in ECB mode
"bf-ofb" - Blowfish in OFB mode

I also found more reference here: https://adayinthelifeof.nl/2010/12/08/encryption-operating-modes-ecb-vs-cbc/

I can’t seem to find in the JUCE documentation what operating mode the BlowFish class uses. Before I do a lot of tedious trial and error (or interpreting the source code), has anyone tried this before?


#2

I’m sorry I don’t have much to add, cpenny, but I would like to know this as well. Seems like a simple question for the JUCE team to answer.


#3

I just went without encryption for now — as it turns out it was unnecessary for my specific application.

This could be a great JUCE demo — I’m sure people will be using JUCE apps alongside web apps more and more. I would love to see an “official” working implementation of encryption in Node.js and decryption in JUCE.


#4

+1 Would be good to know which mode is used, and even better, an example with openssl encryption and JUCE decryption.


#5

I want to use openssl_encrypt on our server too, so knowing which cipher mode the BlowFish algorithm uses is quite essential. @jules should know :wink:


#6

I couldn’t tell you for sure, it’s years since I wrote it, but I assume it’s the most common one: CBC


#7

Looking at the code I’d say the mode is ECB. There is no feedback of the previous cipher into the next block encryption.


#8

I’m actually quite sure it’s not the most common one. Or some of the other settings differ with common defaults. If I remember correctly I tried both ECB and CBC and neither worked.

In the end I ended up using cryptopp instead of juce’s crypto module, and I’ve heard from more parties they struggled with getting BlowFish to work. Sounds like perhaps it warrants another review?


#9

We decided to not use the JUCE implementation. Even if we could get it to work, ECB is too insecure to be useful.


#10

See: TwoFish and ThreeFish

Cheers,

Rail