Home

WCF and the Cyclical Object Referencing Problem

View State in Session

OOP Patterns for Geeks (a work in progress)

4 .NET Web Dev steps to enlightenment

Web/Software Developer Differences?

DATS2/BATSLite DAO/ORM Library

A Problem with ‘Web Developers’ & Solution - Part 1

A Simple Cache for C++/CLI

Explicit Interfaces for Versioning

Code Highlighter (BETA)

WebControl with XML Parameters

A Simple Cache

XenoCode Obfuscated string decoder

Blowfish 512bit 24p

That nasty DesignMode issue… again… and again...

Data Access Architecture and IDisposable Faux-Pas

Links of Interest

Blowfish 512Bit 24P

Blowfish 512Bit 24 P zip (32 kbytes)

When passing information over a network - with remoting for example - many people are not happy sending 'clear-text' data (and in fact shouldn't be at all!). Clear-text data over a public network is subject to interception at many sources – all of which are beyond the subject of this text. To resolve this you generally have to use some form of VPN. Many organisations use hardware based VPN systems, however in practice both ends of the connection generally sync better when the hardware is by the same manufacturer. However, hardware based solutions are not always feasible.

This is where cryptography comes in. Take some data, encrypt it, send it, decrypt it, use it. The current standard of Triple DES – quickly being replaced by AES (Rijndael) are superb for the job, but they have their disadvantages. Don't, get me wrong, personally I would choose AES over any other at present, it's a wonderful technology.  Triple DES is slow and has been successfully broken using certain chosen-text and known-text attacks and AES is still however a relatively new technology and is still not fully trusted.

Blowfish (by Bruce Schneier) still remains unbroken in it's current 448bit 16 round form except via brute-force attacks so long as the data is kept below (2^32) x 8 Bytes (32GB) – otherwise data is leaked and it becomes vulnerable to birthday-attacks. Obviously you can assume that very few people would be wishing to encrypt that much data based off the same Key/IV combination – certainly I have never come across such a requirement.

Also Blowfish is free and more importantly, fast.

This was the reason why it was chosen by a former client, despite the fact that .NET has some excellent in built implementations, the management decided that it would be too well known, and that while Blowfish itself was public domain, because it was free, that it would be easy to 'salt' and modify to create a further level of security.

Thus, the job fell to me – having had some experience in this area – to take the Blowfish algorithm and salt it. Despite my initial reservations over the motivations of the pointy-haired bosses responsible for this (“We want you to take Blowfish and make it 512bit; we think it would be cool” - no, I am not joking, that was what was said), I was being paid, and i had been meaning to take a look at Blowfish anyway in my own time (since first encountering it inside a third party payment system).

Promptly a little time later I produced the desired results in the form of the algorithm in question. It was used for only eight months however as a boss with even pointier hair decided that the system in development at the time was a waste of money and the project was cancelled (probably something to do with the senior management wanting to increase their already stupendous salaries or something).

Thus, I am now able to make this routine available to you, the public.

It's use is pretty self explanatory from the code supplied. I upgraded it to .NET 2 and added an example GUI. There is a Weak-Key test just in case, however in use I have yet to see it trip to 'true' except on the silliest of short Keys, even on some of the previously known weak keys.

So, for your free LGPL musings, I present to you Blowfish 512Bit 24 P zip (32 kbytes). Enjoy!