(atl: running with scissors) RE: RE: Making keys for Crypt::Blowfish?

Title borrowed from merlyn. ;-)

Bad idea, really bad idea! Sorry if this comes out rude, but if you don't choose your keys carefully you're messing up security. I'm unable to give you a mathematical proove of this (see e.g. Bruce Schneier "Applied Cryptography" for a scientific text), but you have to get a key that isn't vulnerable to prime factorization (or something of the like), in other words: a prime number.

So, if you are to bet security on your keys, make sure they work. I'd suggest you take a look at GPG (GNU Privacy Guard) which contains Blowfish encryption. Maybe you can use that program to generate keys?

Andreas

Update:
Oups, I'm sorry, it seeems like I really jumped on this too fast (something triggered the alarm bells in the head, and off they go). /me makes a mental note not to post after having two beers. ;-))
mdillon and lhoward are right about prime number factorization and guessable keys/key space usage.
Once again, sorry to jump on you, Mushy!

Comment on (atl: running with scissors) RE: RE: Making keys for Crypt::Blowfish?

Replies are listed 'Best First'.
RE: (atl: running with scissors) RE: RE: Making keys for Crypt::Blowfish? by lhoward (Vicar) on Aug 21, 2000 at 04:52 UTC
Some encryption algorithms have weak keys that cause the encrypted data to be analyzed and potentially more easily. I don't believe that Blowfish has any proven weak keys. DES, on the other hand, has some known weak keys. With blowfish a short or predictable key is not a weak key in that respect and your data is just as well encrypted as data encrypted with a long/statistically random key. The weakness is that if your keys are bad that they may be guessable and that you may be only using a small section of the whole keyspace. The diffrence between the problems of "certain keys cause poorly encrypted data" and "guessible keys/small keyspace utilization" are subtle but important.	[reply]
RE: RE: RE: Making keys for Crypt::Blowfish? by mdillon (Priest) on Aug 21, 2000 at 04:28 UTC
AFAIK, prime number factorization has little to do with symmetric encryption algorithms. you are correct when it comes to asymmetric ciphers (e.g. RSA, DSA), which are indeed vulnerable to attack based on the fact that the public and private keys are tied to each other by their relationship to a particular, large prime; but since Blowfish is a symmetric block cipher, it is not susceptible to attacks based on primes.	[reply]
RE: RE: (atl: running with scissors) RE: RE: Making keys for Crypt::Blowfish? by Mushy (Scribe) on Aug 21, 2000 at 04:59 UTC
So I went ahead and did some searches. If someone wants to read about the current state of art in breaking keys for blowfish they can refer to http://www.counterpane.com/blowfish.html http://www.ii.uib.no/~larsr/bc.html Pretty safe :-)	[reply]