in reply to Making keys for Crypt::Blowfish?

The key is a shared secret type key right? So it doesn't really matter what the key is as the encrypted output will probably be on the same level of breakability with any key. I don't think there is a good key or bad key in this case. If it's a technical question on the mechanism of generating key then then the example in the perldoc for the module should be sufficient. Need to pack enough bytes to generate required number of bits (max 448 bits = 56 bytes).

Replies are listed 'Best First'.
(atl: running with scissors) RE: RE: Making keys for Crypt::Blowfish?
by atl (Pilgrim) on Aug 21, 2000 at 03:08 UTC
    Title borrowed from merlyn. ;-)

    Bad idea, really bad idea! Sorry if this comes out rude, but if you don't choose your keys carefully you're messing up security. I'm unable to give you a mathematical proove of this (see e.g. Bruce Schneier "Applied Cryptography" for a scientific text), but you have to get a key that isn't vulnerable to prime factorization (or something of the like), in other words: a prime number.

    So, if you are to bet security on your keys, make sure they work. I'd suggest you take a look at GPG (GNU Privacy Guard) which contains Blowfish encryption. Maybe you can use that program to generate keys?

    Andreas

    Update:
    Oups, I'm sorry, it seeems like I really jumped on this too fast (something triggered the alarm bells in the head, and off they go). /me makes a mental note not to post after having two beers. ;-))
    mdillon and lhoward are right about prime number factorization and guessable keys/key space usage.
    Once again, sorry to jump on you, Mushy!

[reply]
      Some encryption algorithms have weak keys that cause the encrypted data to be analyzed and potentially more easily. I don't believe that Blowfish has any proven weak keys. DES, on the other hand, has some known weak keys. With blowfish a short or predictable key is not a weak key in that respect and your data is just as well encrypted as data encrypted with a long/statistically random key.

      The weakness is that if your keys are bad that they may be guessable and that you may be only using a small section of the whole keyspace. The diffrence between the problems of "certain keys cause poorly encrypted data" and "guessible keys/small keyspace utilization" are subtle but important.

[reply]
      AFAIK, prime number factorization has little to do with symmetric encryption algorithms. you are correct when it comes to asymmetric ciphers (e.g. RSA, DSA), which are indeed vulnerable to attack based on the fact that the public and private keys are tied to each other by their relationship to a particular, large prime; but since Blowfish is a symmetric block cipher, it is not susceptible to attacks based on primes.
[reply]
        So I went ahead and did some searches. If someone wants to read about the current state of art in breaking keys for blowfish they can refer to http://www.counterpane.com/blowfish.html http://www.ii.uib.no/~larsr/bc.html Pretty safe :-)
[reply]

In Section Seekers of Perl Wisdom