Blowfish is an encryption algorithm that was made toovercome the disadvantages of DES. It was published in 1993. It is over twodecades from now that it was published, but now also it is one of the mostpopular algorithms to be used now-a-days also. This is due to the reason thatit produces a good quality cipher text which is nearly impossible to break.
Theuser has the liberty to choose the length of the key from 32 bit to 448 bit.The more the number of the bits the user will use, the lower will be the chanceof the algorithm to be broken. The only thing that the blowfish demands is theprotection of the key from all the malice users. It is implemented on 64 bitblock at a single time. This is the input of the algorithm. This can be apassword, text file or any other type of data. It depends on the user what itwants to be encrypted.
This is the only thing that changes the cipher text ifthe key is not changed.The use of blowfish is easy and very secure. Almostall the programming languages used now-a-days have predefined implementation ofblowfish. The blowfish is a patent free algorithm and anyone can use it withoutany restrictions. This algorithm is easy to be modified and very easy to defineit for your personal use. As most of the algorithms present are patented bysome or the other agency, it is very important to have at least one algorithmthat is available to be used by anyone and is open for all.
As it is notpatented it doesn’t mean that will be easy to break and will be very easy tocompromise anyone that uses this algorithm. Every user can define an algorithmthat is comfortable to his/her application.One of the most important uses of blowfish is in thepassword management of websites. It is very useful and secure to use blowfishfor this purpose.
The blowfish generates a cypher text which is a hashed outputof the plain text and the key that is defined at a single time. The blowfishgenerates the cypher text after 16 iterations in a particular way. This isdefined in the algorithm definition. This process will produce intermediatetext. After this process sub key 17th and sub key 18thare used to produce the final output from the above produced intermediate text.Once this cypher text of 64 bit length is produced,it is saved in the database. No other information about the password is savedby the company. This is what enables transparency.
The admin who has the accessto the user data and who is able to read the password, name, email and otherinformation of the user by accessing the database, will only be able to see thehashed password in the database. The hashed password will be of 64 bit and itwill give no clue to the admin about the password or the length of thepassword. This will make the user feel secure as its password is never saved bythe company’s database and it is always better to avoid trusting anyone in sucha case.
So, now the password is not saved in the databaseand only the hashed password is saved by the company. So it will raise athought in the mind of everyone that how will the user be allowed to login andbe authorised afterword when he demands to login into his account. This is done by avoiding the decryption. The simpletechnique used is to encrypt what user types in the password box again duringlogin and to pass it through the same process again and to allow it to producea cypher text. This cypher text is what is produced by the user during thelogin trial. It will be 64 bit cypher text or hashed password in this case too.Now to allow a user to login into his account, the user must be authorised. Theuser will be authorised if the cypher text produced during the login time issame as the cypher text stored in the database.
If the hashed passwords aresame, then the user must have entered a correct password, then only it wouldhave produced the same cypher text.Now, someone can argue that during the practical useof an algorithm a particular cypher text can also be produced by two differentinputs. But talking in terms of the same cypher text to be produced by two differentinputs can have a very minute or zero per cent possibility in most of thecases. So, finding any other input to produce the same cypher text isultimately impossible. The impossibility factor increases as differentwebsites will use different keys of different lengths and will make the guessof the key more uncertain and more difficult. The impossibility to crack thepassword can be increased by introducing the static salt by the website.
This salt is a string defined by the website andwill be added to the password entered by the user before the encryption starts.The encryption will produce a cypher text with more uncertainty and will givethe website one more advantage. The advantage that salt will provide is,whenever by some chance a malicious user is able to crack a password of aparticular user, it will not be able to produce a pattern out of this. He willnot be able to make a pattern as he will not get the value of the salt. If thesalt is unknown, then it will be completely impossible for the malicious userto crack one more password by the use of previous one.The only care that the website will have to make isto keep the salt safe from each and every person and it should be unknown toeveryone except the most senior people of the company. These people should notreveal this salt in front of anyone. It should be kept safe from everyone.
Thisimpossibility makes our algorithm secure from being broken. It gives thecomplete guarantee that a malicious user will not be able to find the correctpassword by seeing the value present in the database.Another approach that can be used is to use a randomor dynamic salt of certain length that will be produced for each and every userindividually.
This will be produced during the signup phase of the user andthis salt will have to be stored in the database of the company for each andevery user along with other login details. During the login attempt, the saltwill be fetched from the database for a particular username and it will beadded to the password of the user and then the cypher will be produced for thatcomplete string. Then the further process will be same as before.When the new user will be added a new random saltwill be produced and be saved for him. This will make the cracking of the passwordcompletely impossible as the malicious user will have to know the password andthe particular cypher text of each and every individual to crack the website.This is impossible to be done.
This approach is out of our scope and we leavethis for future studies.