aspose file tools*
The moose likes Security and the fly likes how do i get different results for blowfish/ECB/HEX encryption? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "how do i get different results for blowfish/ECB/HEX encryption?" Watch "how do i get different results for blowfish/ECB/HEX encryption?" New topic
Author

how do i get different results for blowfish/ECB/HEX encryption?

sadhna singh
Greenhorn

Joined: May 29, 2007
Posts: 29
I am trying to get same result as tool webnet77.
http://webnet77.com/cgi-bin/helpers/blowfish.pl

I am using info for tool-

ALGORITM = "Blowfish";
HEX KEY = "92514c2df6e22f079acabedce08f8ac3";
PLAIN_TEXT = "sangasong@song.com"
Tool returns-
CD3A08381467823D4013960E75E465F0B00C5E3BAEFBECBB

I tried with java code with value -

final String ALGORITM = "Blowfish";
final String KEY = "92514c2df6e22f079acabedce08f8ac3";
final String PLAIN_TEXT = "sangasong@song.com";
byte[] decodedHex = DatatypeConverter.parseHexBinary(KEY);
byte[] keyInBase64 = Base64.decodeBase64(decodedHex);
String meth = hexToString(KEY);

MessageDigest sha = MessageDigest.getInstance("SHA-1");
Key skey = new javax.crypto.spec.SecretKeySpec(raw, "AES");

try {
byte[] encrypted = encrypt(decodedHex, PLAIN_TEXT);
System.out.println( "Encrypted hex: " + Hex.encodeHexString(encrypted));

byte[] encrypted1 = encrypt(keyInBase64, PLAIN_TEXT);
System.out.println( "Encrypted byte64: " + Hex.encodeHexString(encrypted1));

byte[] encrypted2 = encrypt(meth.getBytes(), PLAIN_TEXT);
System.out.println( "Encrypted method: " + Hex.encodeHexString(encrypted2));

} catch (GeneralSecurityException e) {
e.printStackTrace();
}

private static byte[] encrypt(byte[] key, String plainText) throws GeneralSecurityException {

SecretKey secret_key = new SecretKeySpec(key, "Blowfish");

Cipher cipher = Cipher.getInstance("Blowfish");
cipher.init(Cipher.ENCRYPT_MODE, secret_key);

return cipher.doFinal(plainText.getBytes());
}

Result -

Encrypted hex: 525bd4bd786a545fe7786b0076b3bbc2127425f0ea58c29d
Encrypted byte64: 1a2abceed959cef8f5b2dcb668069c1580d736dda0832703
Encrypted method: 2c87b7682091053ad1bdf945368f959b5edf064b58499e18

Please help to get result same as tool.

thanks a lot.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1110
    
  10

Even though the key string contains only hex characters it turns out that the bytes of the key are NOT obtained by hex decoding but obtained from


P.S. Before posting any code please please please remove redundant code. I spent more time removing the redundant code than I did in finding the solution.
sadhna singh
Greenhorn

Joined: May 29, 2007
Posts: 29
Thanks Richard.
If i do get bytes for key using KEY.getBytes("ASCII");
it fails as illegal key size.

java.security.InvalidKeyException: Illegal key size or default parameters
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)

P.S- On another note there is no redundancy in code. same method called thrice with different key bytes to show how its giving different result.

complete Java Code here---

import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Hex;

public class Test{

public static void main(String[] args) throws Exception {
final String KEY = "92514c2df6e22f079acabedce08f8ac3";
final String PLAIN_TEXT = "sangasong@song.com";
byte[] keyBytes = KEY.getBytes("ASCII");

try {

byte[] encrypted = encrypt(keyBytes, PLAIN_TEXT);
System.out.println( "Encrypted hex: " + Hex.encodeHexString(encrypted));

} catch (GeneralSecurityException e) {
e.printStackTrace();
}
}
private static byte[] encrypt(byte[] key, String plainText) throws GeneralSecurityException {

SecretKey secret_key = new SecretKeySpec(key, "Blowfish");

Cipher cipher = Cipher.getInstance("Blowfish");
cipher.init(Cipher.ENCRYPT_MODE, secret_key);

return cipher.doFinal(plainText.getBytes());
}
}
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1110
    
  10

[quote=sadhna singh]If i do get bytes for key using KEY.getBytes("ASCII");
it fails as illegal key size.
[/quote]

That is most likely because you have not installed the Unlimited Strength jars in your JRE. Go to the JDK download page and follow the instructions for installing the Unlimited Strength jars.

You should note that :-

a) The industry standard for block encryption is AES and not Blowfish. One never gets sacked for using the industry standard so unless you re trying to match some legacy system then re-think your use of Blowfish.

b) Your code by default uses ECB block mode and one should never use ECB since it is generally considered insecure in that it allows splicing of cipher text and allows an observer to detect that two bits of ciphertext come from the same cleartext. This applies to any block cipher including AES and Blowfish. One should use one of the feedback block modes such as CBC with a random IV.

c) By defining the key in terms of just ASCII characters you are significantly reducing the search space required to brute force breaking the key.
sadhna singh
Greenhorn

Joined: May 29, 2007
Posts: 29
Thanks again Richard.
I have installed the Unlimited Strength jars in JRE before posting this question here.

your suggestions are welcomed. but i posted here and need help in solving my problem here.
Agree on all suggestion but real problem is as below so cant change algo or ECB .

a) The industry standard for block encryption is AES and not Blowfish. One never gets sacked for using the industry standard so unless you re trying to match some legacy system then re-think your use of Blowfish.

I agree but unfortunately ,I can not change as client is using it at there end for encryption. they use webnet77 tool and send us the encrypted code and key.
we decrypt at our end. So i am forced to get same output as that tool.


b) Your code by default uses ECB block mode and one should never use ECB since it is generally considered insecure in that it allows splicing of cipher text and allows an observer to detect that two bits of ciphertext come from the same cleartext. This applies to any block cipher including AES and Blowfish. One should use one of the feedback block modes such as CBC with a random IV.

Client send us the Key, mode ECB and encoding HEX.


Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1110
    
  10

sadhna singh wrote:
I have installed the Unlimited Strength jars in JRE before posting this question here.


I'm not convinced you have installed the Unlimited Strength jars correctly since I only see and illegal key size exception when I use a JRE without installing the Unlimited Strength jars .

Also, your second code posting has 3 fundamental compilation errors (JDK6, JDK7 and JDK8) .
sadhna singh
Greenhorn

Joined: May 29, 2007
Posts: 29
May be not installed correctly.
I have done below step to do so-

1- http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#jce_policy-6-oth-JPR
Downloaded the version 6
2- Unzip the downloaded zip
3- Copy local_policy.jar and US_export_policy.jar to the $JAVA_HOME/jre/lib/security (Note: these jars were already there so did overwrite them)

I thought IDE will help to do minor imports n fixes. Anyways i have fixed n edited my second code.no more compilation error.
Can we now talk on real problem?
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1110
    
  10

What can I say ! After fixing the compilation errors in your latest code it works for me without an exception as long as I have the Unlimited Strength jar installed. If you are working on Windows make sure you do this for both the JDK and the JRE. If you have done this make sure you are using the JRE that you think you are and not some version that does not have the Unlimited Strength jar installed.
sadhna singh
Greenhorn

Joined: May 29, 2007
Posts: 29
Thanks Richard for trying.
may i know what you are getting as result when run the code at your end???

sadhna singh
Greenhorn

Joined: May 29, 2007
Posts: 29
Thanks Richard for helping me.

Its working now. and i am getting same result as tool.
I copied the JCE jar files in JDK and JRE both.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1110
    
  10

[quote=sadhna singh]Thanks Richard for trying.
may i know what you are getting as result when run the code at your end???

[/quote]

I'm getting the value you expected in your OP i.e.
[code=java]
Encrypted hex: cd3a08381467823d4013960e75e465f0b00c5e3baefbecbb[/code]

Note - I get lower case because my hex encoder produces lower case by default.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: how do i get different results for blowfish/ECB/HEX encryption?