Hi OpenSSL Developers,
(cc Jon Schull)
I'm a relative newbie at encryption, capable of using and wrapping
crypto software, but with no depth of background in its technicalities.
I got an email yesterday from a user of one of my wrappers, who reported
a strange quirk in Blowfish (forgive me if the issue has already been
thrashed on these lists).
Apparently, if data is encrypted with a Blowfish key which consists of
one or more repetitions of a pattern, then *any* string consisting of
one or more repetitions of the same pattern can be used as a key that
will successfully decrypt the data.
To eliminate my wrapper from suspicion, I wrote a test prog which calls
the OpenSSL libcrypto routines directly (program at end of this
message).
The following key combinations result in successful decryption:
Encryption Key: fredfred
Decryption Key: fred
Encryption Key: abcabc
Decryption Key: abcabcabc
I need to ask:
1) Is this a known issue? If so, what's the verdict?
2) Is this specific to the OpenSSL implementation of BF, or is it a
quirk in the BF algorithm itself?
3) Are there any other known 'surprises' in Blowfish (either in the
OpenSSL implementation, or the algorithm)?
4) How does this affect the overall security of BF? Is it a matter of
telling the client to choose decent keys (that aren't repeating
patterns), or are there deeper issues that would warrant switching to
another symmetric cipher?
5) I chose OpenSSL's Blowfish because it's fast, simple, and (through
CFB mode and stored IV/count) can encrypt/decrypt arbitrary-sized
blocks, and thus doesn't have that annoying n-byte granularity. Can I
use OpenSSL's BF with confidence? What constraints should I observe?
Thanks for your insights
(Test code at end of message)
--
Kind regards
David
--
leave this line intact so your email gets through my junk mail filter
TEST CODE STARTS
----------------------------------
// Small test prog to investigate bug
// in SSL's blowfish encryption whereby
// a decryption key will recover plaintext,
// as long as the encryption key and
// decryption key each consist of an arbitrary
// number of repetitions of a pattern
//
// For example, the following cases lead to successful decryption:
//
// encryption key: abcabc
// decryption key: abc
//
// encryption key: abcabc
// decryption key: abcabcabc
//
// This requires libopenssl (crypto library portion) to be installed.
//
// compile with 'gcc -g -o bfbug bfbug.c -lcrypto'
//
// run as './bfbug "some plaintext" "key1" "key2"'
//
// try './bfbug "This is my plaintext" "simplesimple" "simple"'
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/blowfish.h>
void decrypt(char *inbuf, char *outbuf, int blklen, char *key)
{
int counter = 0;
char iv[8];
BF_KEY keyStruct;
memset(iv, 0, 8);
BF_set_key(&keyStruct, strlen(key), key);
BF_cfb64_encrypt(inbuf, outbuf, blklen, &keyStruct,
iv, &counter, BF_DECRYPT);
}
void encrypt(char *inbuf, char *outbuf, int blklen, char *key)
{
int counter = 0;
char iv[8];
BF_KEY keyStruct;
memset(iv, 0, 8);
BF_set_key(&keyStruct, strlen(key), key);
BF_cfb64_encrypt(inbuf, outbuf, blklen, &keyStruct,
iv, &counter, BF_ENCRYPT);
}
int main(int argc, char **argv)
{
char *plain, *key1, *key2;
char *enc;
char *dec;
int len;
if (argc != 4)
{
printf("usage: %s plaintext key1 key2\n", argv[0]);
exit(1);
}
plain = argv[1];
len = strlen(plain);
key1 = argv[2];
key2 = argv[3];
enc = malloc(len+1);
enc[len] = '\0';
dec = malloc(len+1);
dec[len] = '\0';
encrypt(plain, enc, len, key1);
decrypt(enc, dec, len, key2);
printf("key1: '%s'\n", key1);
printf("ley2: '%s'\n", key2);
printf("plaintext: '%s'\n", plain);
printf("decrypted: '%s'\n", dec);
}
--------------------------------
TEST CODE ENDS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
