2

I came across some code for encrypting data using Bouncy Castle but I couldn't find any documentation that would indicate what kind of algorithm is being used to encrypt data or how many bits are used for the key. I also couldn't find a discussion forum for Bouncy Castle. Does anyone know what algorithm this is using and how many bits for the key?

BlowfishEngine blowfishEngine = new BlowfishEngine();
CBCBlockCipher cbcBlockCipher = new CBCBlockCipher(blowfishEngine); 

KeyParameter key = new KeyParameter(key);

BufferedBlockCipher cipher = new PaddedBlockCipher(cbcBlockCipher);

cipher.init(true, key);

int size = cipher.getOutputSize(data.length);
byte[] result = new byte[size];
int olen = cipher.processBytes(data, 0, data.length, result, 0);
olen += cipher.doFinal(result, olen);

if (olen < size)
{
  byte[] tmp = new byte[olen];
  System.arraycopy(result, 0, tmp, 0, olen);
  result = tmp;
}
Johann
  • 27,536
  • 39
  • 165
  • 279
  • Well, the algorithm itself is - obviously - Blowfish. And the size of the key depends on the size of the key given to the `KeyParameter` constructor. The documentation for the packages can be found here: http://www.bouncycastle.org/docs/docs1.5on/index.html (although your java code is not working because you introduce a second variable named `key`). – Dominik Sandjaja Feb 05 '13 at 10:36
  • Thanks. I reduced the size of the code here and moved a few things around to be condensed here. It does work in my original source files. I'm not experienced in encryption so I had no idea that Blowfish is an algorithm, even though I read the description of the class on Bouncy Castle's website. So if the person enters a key of 8 characters, that means the data is encrypted with 64 bits (1 byte per character)? So if they wanted to have 256 bits, they'd have to enter in 32 characters? – Johann Feb 05 '13 at 10:46
  • Well, I guess so, but it should all be possible to get from the API docs I linked. – Dominik Sandjaja Feb 05 '13 at 11:29

1 Answers1

5

The algorithm is Blowfish, running in the Cipher Block Chaining operating mode. Blowfish allows for a wide range of key sizes, from 32 bits to 448 bits. That said, it uses a 64-bit block size (amount of data it can encrypt in one segment), which is not as secure as 128-bit block sizes found in ciphers like AES. Otherwise, Blowfish is a pretty secure cipher, as long as you use a key size of 128 bits or larger.

That said, it is not very performant when it comes to rekeying operations (it takes forever to rekey, which is why it's key schedule is the basis for bcrypt). Your best bet is to use AES-256 (swap out BlowfishEngine for AESEngine).

As far as keysize goes, based on your comments it looks like you're trying to use a password as an encryption key directly. This is a very bad practice, and makes it very easy to brute force youe encryption. You should instead by using the password to drive a key derivation function like PBKDF2, which will give you a much safer, longer key. Check out this answer for a good way to do this with BouncyCastle in java.

Community
  • 1
  • 1
Peter Elliott
  • 3,273
  • 16
  • 30