Blowfish is an encryption algorithm that was made to
overcome the disadvantages of DES. It was published in 1993. It is over two
decades from now that it was published, but now also it is one of the most
popular algorithms to be used now-a-days also. This is due to the reason that
it produces a good quality cipher text which is nearly impossible to break. The
user has the liberty to choose the length of the key from 32 bit to 448 bit.
The more the number of the bits the user will use, the lower will be the chance
of the algorithm to be broken. The only thing that the blowfish demands is the
protection of the key from all the malice users. It is implemented on 64 bit
block at a single time. This is the input of the algorithm. This can be a
password, text file or any other type of data. It depends on the user what it
wants to be encrypted. This is the only thing that changes the cipher text if
the key is not changed.
The use of blowfish is easy and very secure. Almost
all the programming languages used now-a-days have predefined implementation of
blowfish. The blowfish is a patent free algorithm and anyone can use it without
any restrictions. This algorithm is easy to be modified and very easy to define
it for your personal use. As most of the algorithms present are patented by
some or the other agency, it is very important to have at least one algorithm
that is available to be used by anyone and is open for all. As it is not
patented it doesn’t mean that will be easy to break and will be very easy to
compromise anyone that uses this algorithm. Every user can define an algorithm
that is comfortable to his/her application.
One of the most important uses of blowfish is in the
password management of websites. It is very useful and secure to use blowfish
for this purpose. The blowfish generates a cypher text which is a hashed output
of the plain text and the key that is defined at a single time. The blowfish
generates the cypher text after 16 iterations in a particular way. This is
defined in the algorithm definition. This process will produce intermediate
text. After this process sub key 17th and sub key 18th
are used to produce the final output from the above produced intermediate text.
Once this cypher text of 64 bit length is produced,
it is saved in the database. No other information about the password is saved
by the company. This is what enables transparency. The admin who has the access
to the user data and who is able to read the password, name, email and other
information of the user by accessing the database, will only be able to see the
hashed password in the database. The hashed password will be of 64 bit and it
will give no clue to the admin about the password or the length of the
password. This will make the user feel secure as its password is never saved by
the company’s database and it is always better to avoid trusting anyone in such
So, now the password is not saved in the database
and only the hashed password is saved by the company. So it will raise a
thought in the mind of everyone that how will the user be allowed to login and
be authorised afterword when he demands to login into his account.
This is done by avoiding the decryption. The simple
technique used is to encrypt what user types in the password box again during
login and to pass it through the same process again and to allow it to produce
a cypher text. This cypher text is what is produced by the user during the
login trial. It will be 64 bit cypher text or hashed password in this case too.
Now to allow a user to login into his account, the user must be authorised. The
user will be authorised if the cypher text produced during the login time is
same as the cypher text stored in the database. If the hashed passwords are
same, then the user must have entered a correct password, then only it would
have produced the same cypher text.
Now, someone can argue that during the practical use
of an algorithm a particular cypher text can also be produced by two different
inputs. But talking in terms of the same cypher text to be produced by two different
inputs can have a very minute or zero per cent possibility in most of the
cases. So, finding any other input to produce the same cypher text is
The impossibility factor increases as different
websites will use different keys of different lengths and will make the guess
of the key more uncertain and more difficult. The impossibility to crack the
password can be increased by introducing the static salt by the website.
This salt is a string defined by the website and
will be added to the password entered by the user before the encryption starts.
The encryption will produce a cypher text with more uncertainty and will give
the website one more advantage. The advantage that salt will provide is,
whenever by some chance a malicious user is able to crack a password of a
particular user, it will not be able to produce a pattern out of this. He will
not be able to make a pattern as he will not get the value of the salt. If the
salt is unknown, then it will be completely impossible for the malicious user
to crack one more password by the use of previous one.
The only care that the website will have to make is
to keep the salt safe from each and every person and it should be unknown to
everyone except the most senior people of the company. These people should not
reveal this salt in front of anyone. It should be kept safe from everyone. This
impossibility makes our algorithm secure from being broken. It gives the
complete guarantee that a malicious user will not be able to find the correct
password by seeing the value present in the database.
Another approach that can be used is to use a random
or dynamic salt of certain length that will be produced for each and every user
individually. This will be produced during the signup phase of the user and
this salt will have to be stored in the database of the company for each and
every user along with other login details. During the login attempt, the salt
will be fetched from the database for a particular username and it will be
added to the password of the user and then the cypher will be produced for that
complete string. Then the further process will be same as before.
When the new user will be added a new random salt
will be produced and be saved for him. This will make the cracking of the password
completely impossible as the malicious user will have to know the password and
the particular cypher text of each and every individual to crack the website.
This is impossible to be done. This approach is out of our scope and we leave
this for future studies.