Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Breaking 224-bit Blowfish encryption

Tags:

security

encryption

brute-force

blowfish

I have a bunch of encrypted files that I want to decrypt (duh). I found out they are encrypted with Blowfish using a 224-bit key after some research. I know what the first few bytes of the plaintext looks like (it's kind of a header).

Noting that I am not NSA nor do I have ridiculous computing power, is there any chance of me brute forcing the key within a reasonable time (eg: not the life of the universe)?

I read somewhere that someone published an attack on the full-blown Blowfish (no pun intended) that reduces the search to 2^(n/2) but it mysteriously disappeared. Apparently it was some kind of MITM attack; though Blowfish uses a 16 round Feistel network, so it has to be clever if it exists. Can anyone confirm this?

EDIT: I do have access to a large number of the keys that are used, just not all of them. Perhaps it would be more worth my while to try and attack the generation of the keys instead?

like image 802
NullUserException Avatar asked Jan 21 '23 02:01

NullUserException

2 Answers

There is no chance of you brute-forcing the key*. Assuming there is a meet-in-the-middle attack for Blowfish that reduces it to testing 2^112 keys, there isn't enough computing power on the planet to have a decent chance of brute-forcing the key before the Sun goes cold. The NSA couldn't do it either, if that's any consolation, although it's conceivable they can solve Blowfish rather than guess keys.

Unless you can find the keys, you aren't going to read the files.

*Technically, you do have a chance. However, it's far more likely that you'll win a national lottery twice (assuming you buy a ticket for two drawings).

like image 186
David Thornley Avatar answered Jan 22 '23 16:01

David Thornley

No, you can't recover the plain text unless the encryption was done incorrectly.

There is a published "known plain text" attack, but it requires billions of known plain texts to work.

Update regarding "Edit": Again, if the encryption was done correctly, examining the known keys won't help, because a cryptographic number generator used to generate good keys is going to have similar complexity as the cipher. However, using a bad generator (or password-based encryption with weak passwords) is a common implementation flaw. Good luck!

like image 40
erickson Avatar answered Jan 22 '23 16:01

erickson
Sign in to Comment

Related questions

Is there a way to protect oneself from Mercurial identity theft?
SSL key exchange encryption techniques [closed]
Stealing session id cookies - counter measures
Restrict User Activity Based on IP or on Cookie?
How safe is it to use phpass between several servers?
How to uniquely identify a network?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!