Travers Buda wrote:
[...]
No known weaknesses exist in Blowfish, but that 64 bit block scares me.
[...]
Can you explain why it scares you ? I am not a cryptographer but I see
no reason why a cipher using
64 bit block size is scary, all of the attacks I can think of that are
tied to the block size are still not
practicable with a 64 bit block size (either they require too much
memory, too much time or too much
information). Maybe I am not thinking of something obvious, so please
correct me if i'm wrong.
It can't hurt to err on the side of caution. Thus, it would be a good idea to
consider using one of the 2nd round NIST finalists for the crypto in the base
system. Rijndael and Twofish seem to be the best candidates, due to their
efficiency (see http://www.schneier.com/paper-aes-comparison.html ) and
non-radical nature (twofish in particular.) Plus, they have been througly
scrutinized and are unencumbered.
Blowfish has also been scrutinized and analyzed (and for a longer time
than both Rijndael and Twofish), it
has proven to be strong and resistant, as well as efficient for most
needs. Also Rijndael being the standart
doesn't mean that it is the safest choice at all (not that i'm saying
its bad, im not a cryptographer), and
well Twofish sounds cool but why switch from a working solution to
another one, when there's no real need
for that time and effort consuming change ?
The key schedule in both is _much_ faster than Blowfish. The password file and
others would require the use of salts in order to resist dictionary attacks,
especially of the time-space trade-off variety.
That's not really an issue:
a- there's a paper about that somewhere on the website and if i recall
correctly, the openbsd blowfish-based
hash takes advantage of the fact that ks is time-consuming and with
some adaptations make it even more
time consuming so that an attack on the password file is a pain in
the ...
b- don't really remember the internals of blowfish but, can't subkeys be
precomputed ? I thought it was
doable for any cipher based on a Feistel network (I might be wrong,
but im not a cryptographer and its
over 7am after a sleepless night ;-)
d- people running OpenBSD on modern systems won't notice the overhead.
most people running OpenBSD
on older/slower boxen will actually find the ks quite fast ... after
they've waited ages when generating their
ssh keys :-)
