10

I've seen a ton of questions asked about Blowfish and C# and the usual answer is BouncyCastle. However, the project has basically no documentation and I can't find my way around the directory structure to even find unit tests as examples. I mean, is Blowfish known as Asn1, Bcpg, Crypto(in general?), EC, Ocsp, Pkcs, or what? I lack the domain knowledge of knowing what all of the acronyms in the source code means.

Is there any useful articles or blogs or something that has succeeded in using the C# BouncyCastle API for Blowfish? My primary need is to use Blowfish for password hashing.

Earlz
  • 62,085
  • 98
  • 303
  • 499
  • If you poke around the test classes you may be able to find something. That's the first place I'd look. – John Jun 21 '11 at 21:26
  • @John which ones? There is no file named "Hey you, this is the Blowfish class you're looking for.cs" rather it'd be more likely named "BkdeCompTest.cs" or something. Like I said, I don't know the acronyms they use. – Earlz Jun 21 '11 at 21:28
  • have you done a global search for blowfish? for me it turned up `Org.BouncyCastle.Crypto.Engines.BlowfishEngine` – Matt Ellen Jun 21 '11 at 21:30
  • Ah, should've done it within VS instead of explorer's crappy search function. But even then, I'm not seeing how you tie that into hashing. It's encryption as far as I see – Earlz Jun 21 '11 at 21:34
  • Blowfish is a block cipher, not a hash algorithm. Do you have any source for using Blowfish for hashing a password? – dtb Jun 21 '11 at 21:38
  • I have seen blowfish used for hashing passwords in a sybase DB. I'm not sure why. – Matt Ellen Jun 21 '11 at 21:40
  • You have to put the engine into one of the cipher classes, e.g. `Org.BouncyCastle.Crypto.BufferedBlockCipher`. I'm not sure what to do from there. – Matt Ellen Jun 21 '11 at 21:42
  • @dtb http://www.google.com/search?q=blowfish+hash It has been known as one of the most secure hashing algorithms because you can set how much it must work and because of it's expensive preprocessing step – Earlz Jun 21 '11 at 21:47
  • 1
    Blowfish is not a hash but bcrypt, which uses blowfish, is. – President James K. Polk Jun 21 '11 at 23:47
  • I personally have found that reading the bouncycastle source is more enlightening that reading the .NET documentation, if we are comparing the two. – President James K. Polk Jun 21 '11 at 23:48

2 Answers2

5

For password hashing I would recommend going with bcrypt which internally uses Blowfish. The advantage of using bcrypt is that you can easily configure how expensive it is in generating your output hash. This is important as the biggest problem with many popular hash algorithms is that they work very quickly and this allows a brute force attack to run through many permutations to find a match. By specifying a large work factor you can make it slow to run (in computer terms but still fast in human terms) and so a brute force attack becomes unfeasable.

There are C# implementations already available.

Phil Wright
  • 22,580
  • 14
  • 83
  • 137
0

Also you should check out: Why does BCrypt.net GenerateSalt(31) return straight away? And the codeplex implementation: bcrypt.codeplex.com

Community
  • 1
  • 1
sweetlilmre
  • 682
  • 6
  • 13