This week's book giveaways are in the Angular and TypeScript and Web Services forums.
We're giving away four copies each of Programming with Types and The Design of Web APIs and have the authors on-line!
See this thread and this one for details.
Win a copy of Programming with Types this week in the Angular and TypeScript forum
or The Design of Web APIs in the Web Services forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Knute Snortum
  • Henry Wong
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Frits Walraven
  • Joe Ess
  • salvin francis

How to obtain the same length string encoding with Blowfish+Hex?

 
Gianluca Neri
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hello,

We're trying to encode several input strings with the same length (32) applying Blowfish + Hex encoding.
The problem is that not always the final coded strings have the same length as we expect (32 length strings).
Below you find the code used. Please, can you help to suggest what's wrong?

Thanks a lot!



Best regards
 
Ron McLeod
Saloon Keeper
Posts: 2870
370
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator

Gianluca Neri wrote:The problem is that not always the final coded strings have the same length as we expect (32 length strings).


It's not clear (to me) what you are saying.  

Are you expecting that the output length should match the input length, or that the output length should be constant regardless of the input?  

Can you provide some examples?
 
Stephan van Hulst
Saloon Keeper
Posts: 10993
243
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think that what Gianluca is saying is that given different plain text strings (but all of the same length), encrypting them all with the same key should produce ciphertext strings that all have the same length. I tend to agree, but there are some sources of uncertainty:

  • Are all plain texts really the same length?
  • Are they all really encrypted with the same key?
  • The plain text string is converted to a byte array in a platform dependent fashion.
  • No feedback mode and padding scheme are specified when getting an instance of the cipher.


  • Anyway, like Ron says, it's a good idea to give us some examples that work differently than you're expecting them to.
     
    Gianluca Neri
    Greenhorn
    Posts: 7
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Thanks for your first answer.
    I confirm the sentence of Stephan: ”given different plain text strings (but all of the same length), encrypting them all with the same key SHOULD (but itsn’t) produce ciphertext strings that all have the same length.”
    I try to provide more details. First of all about your questions:

    •  Are all plain texts really the same length?
    Yes (length=32, expected also in output)
    •  Are they all really encrypted with the same key?
    Yes
    •  The plain text string is converted to a byte array in a platform dependent fashion.
    Ok
    •  No feedback mode and padding scheme are specified when getting an instance of the cipher.
    Ok

    You can find below some examples. Please, note the last 2 that have a different length (they are shorter compared to the previous with the same size, never happened until now that they were longer).

    ***************Example 1**********************
    input string: 740E7B7D4116A48382D374688BBA7C87
    encryptBlowfish with to_string: [B@2509657d
    encryptBlowfish Base64.getEncoder().encode: [B@21e73d60
    final value Hex.encodeHexString: 57304A414D6A55774F5459314E32513D
    *************** Example 2**********************
    input string: 07F58E9965E3F82170CC4E794B0CE1C2
    encryptBlowfish with to_string: [B@7833ebd2
    encryptBlowfish Base64.getEncoder().encode: [B@2a1da2d5
    final value Hex.encodeHexString: 57304A414E7A677A4D3256695A44493D
    *************** Example 3**********************
    input string: 673F75945A4FEC095D6FD0207AC70C50
    encryptBlowfish with to_string: [B@45c37f33
    encryptBlowfish Base64.getEncoder().encode: [B@194e314d
    final value Hex.encodeHexString: 57304A414E44566A4D7A646D4D7A4D3D
    *************** Example 4**********************
    input string: AF010C9C902D13DC9D7C48D2504F11BC
    encryptBlowfish with to_string: [B@1621bf43
    encryptBlowfish Base64.getEncoder().encode: [B@74d753a6
    final value Hex.encodeHexString: 57304A414D5459794D574A6D4E444D3D
    *************** Example 4**********************
    input string: 9274BA06F02429C204193BE6575D2804
    encryptBlowfish with to_string: [B@7785754a
    encryptBlowfish Base64.getEncoder().encode: [B@596107c
    final value Hex.encodeHexString: 57304A414E7A63344E5463314E47453D
    *************** Example 5**********************
    input string: B91064F4666FB23FD9363098EAE22A4E
    encryptBlowfish with to_string: [B@52258ca8
    encryptBlowfish Base64.getEncoder().encode: [B@67476514
    final value Hex.encodeHexString: 57304A414E5449794E54686A5954673D
    *************** Example 6**********************
    input string: 8A6679CACEB6ABDEFAF540886EA37A16
    encryptBlowfish with to_string: [B@d9a5f7b
    encryptBlowfish Base64.getEncoder().encode: [B@13b06f4f
    final value Hex.encodeHexString: 57304A415A446C684E57593359673D3D
    *************** Example 7**********************
    input string: 3EE1C3A94FEEFB1AA9900D149F7C8753
    encryptBlowfish with to_string: [B@6f427c
    encryptBlowfish Base64.getEncoder().encode: [B@2f90a998
    final value Hex.encodeHexString: 57304A414E6D59304D6A646A
    *************** Example 8**********************
    input string: BE5B584F582E5D36DDA990723B2D126D
    encryptBlowfish with to_string: [B@75f258
    encriptedki encryptBlowfish Base64.getEncoder().encode: [B@2e110442
    final value Hex.encodeHexString: 57304A414E7A566D4D6A5534  

    Key=0123456789ABCDEF0123456789ABCDEF (used in all examples).

    We semplified the code:



    Here are some questions:

    - If the value to encrypt and the key are exadecimal strings how do we convert them in a byte array? Should we use string.getBytes() or DatatypeConverter.parseHexBinary(string)?
    - Is it correct that an exadecimal 32 character (16 byte) value with a 32 characters (16 byte) key produces as blowfish encrypted value a 23 byte array?
    - How can we convert the 23 byte array into a fixed 32 character exadecimal string?
    - The resulti if Cipher.dofinal for blowfish algorithm is a base64 encrypted byte array?

    Thanks
     
    Kristina Hansen
    Ranch Foreman
    Posts: 89
    4
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Although it's quite hard to understand I'll try it (btw: it's Hexadecimal - with a leading H - as from "hex"):

    Gianluca Neri wrote:- If the value to encrypt and the key are hexadecimal strings how do we convert them in a byte array? Should we use string.getBytes() or java.xml.bind.DatatypeConverter.parseHexBinary(string)?


    Neither of those. String.getBytes() won't do what you want and the other shouldn't be used but rather either a lib like Apache Commons or write a small converter yourself.

    Gianluca Neri wrote:- Is it correct that an hexadecimal 32 character (16 byte) value with a 32 characters (16 byte) key produces as blowfish encrypted value a 23 byte array?


    Possible, but not guaranteed as you don't use any form of padding.

    Gianluca Neri wrote:- How can we convert the 23 byte array into a fixed 32 character hexadecimal string?


    First: To get a Hex-String with a length of 32 your input has to be 16 bytes - but you get 23 bytes - that would be a 46 char long Hex-String. Second: When you want a fixed output length you need some sort of padding.

    Gianluca Neri wrote:- The resulti if Cipher.dofinal for blowfish algorithm is a base64 encrypted byte array?


    Base64 is an encoding, not an encryption. And if I understand the question like if the output of Cipher.doFinal() is encoded as Base64 then the answer is no. Base64 is a way to encode arbitrary byte sequences in printable characters.

    If I didn't got your questions right may try to rephrase them as they're hard to understand in that very broken english - may try Google Translator.
    btw: Let me ask: What you are try to do here? Are you decrypt the data anywhere - or do you just want a salted hash (wich is way different)?
    I don't know Blowfish much, but could offer you a quick AES or PBE solution.
     
    Gianluca Neri
    Greenhorn
    Posts: 7
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    We have solved using the following solution:

    1. Passing the option "Blowfish/ECB/NoPadding" to the getInstance function.



    2. Encoding the result of the method as below:

             
    In this manner every output string has the same length.

    Thanks to all for the support!
     
    Stephan van Hulst
    Saloon Keeper
    Posts: 10993
    243
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Never use ECB.

    At the very least, you will want to use CBC. Depending on the use case there are much better feedback modes still. GCM is a good one to use in general, but it also comes with some caveats.

    Why are you using Blowfish in the first place? Why not AES?
     
    Gianluca Neri
    Greenhorn
    Posts: 7
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Hi Stephan,

    Why not ECB?

    Where can I find a list of options with pros and cons?
    We must use blowfish because we have to send the encoded strings to an old system.
    Anyway at this point we investigate on our behalf about which one is correctly recognized by the destination.

    Thanks
     
    Stephan van Hulst
    Saloon Keeper
    Posts: 10993
    243
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    ECB doesn't use any feedback from previous blocks, and it doesn't use an initialization vector. That means that every block will encrypt to the same ciphertext and it's possible to perform cryptanalysis by comparing similar blocks.

    Take a look at the tree images of Tux here: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_(ECB)

    Notice how encrypting the image with ECB leaves large recognizable patterns in the ciphertext. Pretty much every other feedback mode is better than ECB.

    Anyway, if the legacy system uses ECB you'll have no choice but to use ECB as well.

    How are you going about finding out what algorithm the old system uses?
     
    Gianluca Neri
    Greenhorn
    Posts: 7
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    I have read and agree.
    At the moment, as you say, we have no choice knowing that the target system has limits.
    We are trying to engage the team that manages it in order to share what we found.
    Only this is a challenging activity when you have to go through the communication processes of a large company. :-)
     
    Stephan van Hulst
    Saloon Keeper
    Posts: 10993
    243
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    Where does the system come from? Did a different department in your company build it? Did a different company build it? If it comes from a different department, you might want to ask your higher-ups if they can create a cross-department project team that can focus on this task, so you can keep communication lines short.
     
    Gianluca Neri
    Greenhorn
    Posts: 7
    • Mark post as helpful
    • send pies
    • Quote
    • Report post to moderator
    They are in my company, other dep.. For the moment we have sent an email and all we can do is wait with confidence.
    I hope we are close to solving the puzzle.
    I'll update you as soon as I have news.

    Thanks and have a nice day!


     
    Cob is sand, clay and sometimes straw. This tiny ad is made of cob:
    Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
    https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
    • Post Reply Bookmark Topic Watch Topic
    • New Topic
    Boost this thread!