lindex has asked for the wisdom of the Perl Monks concerning the following question:

Can anyone who has used the Crypt::Blowfish module before
and who knows how to cryptology better than I do (not very well)
give me some guide lines for making keys for Crypt::Blowfish in perl?



lindex 
/****************************/
  jason@gost.net, wh@ckz.org
    http://jason.gost.net
/*****************************/

[download]

Replies are listed 'Best First'.
Re: Making keys for Crypt::Blowfish?
by athomason (Curate) on Aug 20, 2000 at 23:47 UTC
    Looking at the pod, Crypt::Blowfish takes any random string up to 56 bytes (i.e. 448 bits) long for its key, e.g. my $key = pack("H16", "0123456789ABCDEF"); All you need to do is string together 56 random bytes. What you're really after is a true random number generator, because the default rand is insufficient for cryptographic purposes. If you're on a Unix system with a decent /dev/random device (look at your system docs), you can use the Crypt::Random module:
    use Crypt::Random qw( makerandom ); 
my $r = makerandom ( Size => 448, Strength => 1 );

    [download]
    Another alternative which isn't quite as easy to use for cryptography is Math::TrulyRandom, but it's slow (though one 56-byte key won't kill you, certainly). There's some discussion here regarding cryptography and random numbers as well.
[reply]
[d/l]
[select]
RE: Making keys for Crypt::Blowfish?
by Mushy (Scribe) on Aug 21, 2000 at 01:48 UTC
    The key is a shared secret type key right? So it doesn't really matter what the key is as the encrypted output will probably be on the same level of breakability with any key. I don't think there is a good key or bad key in this case. If it's a technical question on the mechanism of generating key then then the example in the perldoc for the module should be sufficient. Need to pack enough bytes to generate required number of bits (max 448 bits = 56 bytes).
[reply]
      Title borrowed from merlyn. ;-)

      Bad idea, really bad idea! Sorry if this comes out rude, but if you don't choose your keys carefully you're messing up security. I'm unable to give you a mathematical proove of this (see e.g. Bruce Schneier "Applied Cryptography" for a scientific text), but you have to get a key that isn't vulnerable to prime factorization (or something of the like), in other words: a prime number.

      So, if you are to bet security on your keys, make sure they work. I'd suggest you take a look at GPG (GNU Privacy Guard) which contains Blowfish encryption. Maybe you can use that program to generate keys?

      Andreas

      Update:
      Oups, I'm sorry, it seeems like I really jumped on this too fast (something triggered the alarm bells in the head, and off they go). /me makes a mental note not to post after having two beers. ;-))
      mdillon and lhoward are right about prime number factorization and guessable keys/key space usage.
      Once again, sorry to jump on you, Mushy!

[reply]
        Some encryption algorithms have weak keys that cause the encrypted data to be analyzed and potentially more easily. I don't believe that Blowfish has any proven weak keys. DES, on the other hand, has some known weak keys. With blowfish a short or predictable key is not a weak key in that respect and your data is just as well encrypted as data encrypted with a long/statistically random key.

        The weakness is that if your keys are bad that they may be guessable and that you may be only using a small section of the whole keyspace. The diffrence between the problems of "certain keys cause poorly encrypted data" and "guessible keys/small keyspace utilization" are subtle but important.

[reply]
        AFAIK, prime number factorization has little to do with symmetric encryption algorithms. you are correct when it comes to asymmetric ciphers (e.g. RSA, DSA), which are indeed vulnerable to attack based on the fact that the public and private keys are tied to each other by their relationship to a particular, large prime; but since Blowfish is a symmetric block cipher, it is not susceptible to attacks based on primes.
[reply]

Back to Seekers of Perl Wisdom