Blowfish
Documentation |
#include <cryptopp/blowfish.h>
|
Blowfish is a 64-bit (8 bytes) block cipher designed by Bruce Schneier. The cipher uses a variable size key, ranging from 32 to 448 bits. See Schneier's The Blowfish Encryption Algorithm for details.
Note: if your project is using encryption alone to secure your data, encryption alone is usually not enough. Please take a moment to read Authenticated Encryption and consider using an algorithm or mode like CCM, EAX or ChaCha20Poly1305.
Sample Programs
There are three sample programs. The first shows Blowfish key and block sizes. The second and third use filters in a pipeline). Pipelining is a high level abstraction and it handles buffering input, buffering output and padding for you.
If you are benchmarking then you may want to visit Benchmarks | Sample Program . It shows you how to use StreamTransformation::ProcessString
method to process blocks at a time. Calling a cipher's ProcessString
or ProcessBlock
eventually call a cipher's ProcessAndXorBlock
or AdvancedProcessBlocks
, and they are the lowest level API you can use.
The Crypto++ implementation uses key sizes from 4 byte to 56 bytes in length. While Blowfish allows for bit increments on the key size, Crypto++ uses byte increments (8 bits). So it is not possible to specify a 12-bit key.
cout << "key length: " << Blowfish::DEFAULT_KEYLENGTH << endl; cout << "key length (min): " << Blowfish::MIN_KEYLENGTH << endl; cout << "key length (max): " << Blowfish::MAX_KEYLENGTH << endl; cout << "block size: " << Blowfish::BLOCKSIZE << endl;
Output from the above snippet produces the following. Notice the default key size is 128 bits or 16 bytes.
key length: 16 key length (min): 4 key length (max): 56 block size: 8
The following program demonstrates CBC encryption using Blowfish. The key is declared on the stack using a SecByteBlock to ensure the sensitive material is zeroized. Similar could be used for both plain text and recovered text.
AutoSeededRandomPool prng; SecByteBlock key(Blowfish::DEFAULT_KEYLENGTH); prng.GenerateBlock(key, key.size()); byte iv[Blowfish::BLOCKSIZE]; prng.GenerateBlock(iv, sizeof(iv)); string plain = "CBC Mode Test"; string cipher, encoded, recovered; /*********************************\ \*********************************/ try { cout << "plain text: " << plain << endl; CBC_Mode< Blowfish >::Encryption e; e.SetKeyWithIV(key, key.size(), iv); // The StreamTransformationFilter adds padding // as required. ECB and CBC Mode must be padded // to the block size of the cipher. StringSource s1(plain, true, new StreamTransformationFilter(e, new StringSink(cipher) ) // StreamTransformationFilter ); // StringSource } catch(const CryptoPP::Exception& e) { cerr << e.what() << endl; exit(1); } /*********************************\ \*********************************/ // Pretty print StringSource s2(cipher, true, new HexEncoder( new StringSink(encoded) ) // HexEncoder ); // StringSource cout << "cipher text: " << encoded << endl; /*********************************\ \*********************************/ try { CBC_Mode< Blowfish >::Decryption d; d.SetKeyWithIV(key, key.size(), iv); // The StreamTransformationFilter removes // padding as required. StringSource s3(cipher, true, new StreamTransformationFilter(d, new StringSink(recovered) ) // StreamTransformationFilter ); // StringSource cout << "recovered text: " << recovered << endl; } catch(const CryptoPP::Exception& e) { cerr << e.what() << endl; exit(1); }
A typical output is shown below. Note that each run will produce different results because the key and initialization vector are randomly generated.
$ ./Driver.exe key: 25FF1084AFAFAB92D80964039419748B iv: 6C62666AA46BAFA3 plain text: CBC Mode Test cipher text: 9B694B71042033089783BDE60C68898D recovered text: CBC Mode Test
By switching to EAX mode, authenticity assurances can placed on the cipher text for nearly no programming costs. Below the StreamTransformationFilter was replaced by AuthenticatedEncryptionFilter and AuthenticatedDecryptionFilter.
EAX< Blowfish >::Encryption e; e.SetKeyWithIV(key, key.size(), iv); StringSource s1(plain, true, new AuthenticatedEncryptionFilter(e, new StringSink(cipher) ) // StreamTransformationFilter ); // StringSource ... EAX< Blowfish >::Decryption d; d.SetKeyWithIV(key, key.size(), iv); StringSource s2(cipher, true, new AuthenticatedDecryptionFilter(d, new StringSink(recovered) ) // StreamTransformationFilter ); // StringSource
Typical output is as follows. Notice the additional cipher text bytes due to the MAC bytes. See EAX Mode for details.
$ ./Driver.exe key: 24E4BE9071135FAFB8D868D1A4795A92 iv: 33300EB408849010 plain text: EAX Mode Test cipher text: CAD6FA54B387D73344408DF500C63389C8B521B0DF recovered text: EAX Mode Test
To manually insert bytes into the filter, perform multiple Put
s. Though Get
is used below, a StringSink
could easily be attached and save the administrivia.
const size_t SIZE = 16 * 4; string plain(SIZE, 0x00); for(size_t i = 0; i < plain.size(); i++) plain[i] = 'A' + (i%26); ... CBC_Mode < Blowfish >::Encryption encryption(key, sizeof(key), iv); StreamTransformationFilter encryptor(encryption, NULL); for(size_t j = 0; j < plain.size(); j++) encryptor.Put((byte)plain[j]); encryptor.MessageEnd(); size_t ready = encryptor.MaxRetrievable(); string cipher(ready, 0x00); encryptor.Get((byte*) &cipher[0], cipher.size());
Downloads
Blowfish-EAX-Filter.zip - Demonstrates encryption and decryption using Blowfish in EAX mode with filters (confidentiality and authenticity)
Blowfish-CBC-Filter.zip - Demonstrates encryption and decryption using Blowfish in CBC mode with filters (confidentiality only)
Blowfish-CTR-Filter.zip - Demonstrates encryption and decryption using Blowfish in CTR mode with filters (confidentiality only)
Blowfish-ECB-Filter.zip - Demonstrates encryption and decryption using Blowfish in ECB mode with filters (confidentiality only)