Blowfish actually supports more than 128-bit keys

Jussi Kivilinna jussi.kivilinna at iki.fi
Wed Apr 17 18:43:24 CEST 2019


Hello,

On 10.4.2019 1.18, Peter Wu wrote:
> Hi,
> 
> The current cipher documentation[1] reports that GCRY_CIPHER_BLOWFISH
> only supports 128-bit keys. In the long past, a "BLOWFISH160" variant
> seems to have existed which supported 160-bit keys as reported through
> gcry_cipher_get_algo_keylen.
> 
> One of our users would like to use Blowfish with 576 bit keys (don't
> ask). Based on the documentation it would not be possible. The source
> code (cipher/blowfish.c) however shows that do_bf_setkey function does
> not limit the key size. In fact it is designed to support any number of
> bytes (up to 72 bytes / 576 bits).
> 
> Could this be documented such that we can rely on it? Attached are two
> test programs:
> - One using test vectors from OpenSSL (key lengths 8..200 bits).
> - One using Eric Young's test vector as linked by Schneier[2] (key
>   lengths 8..192 bits).

I guess it would make sense to update documentation to match existing
implementation. It would be good to have test vector for maximum
key size. I've tried to search for existing test vectors for key 
lengths of 448-bit and 576-bit, but have not yet found one for the
latter.

> 
> Rejecting key lengths above 576 bits (72 bytes) might be a good idea.
> Rejecting 0 bytes would also be good to avoid a buffer overrun by one
> byte. I have no idea why someone would like to use a very short key
> though...
> 

Yes, limiting to supported key length would be a good thing.

-Jussi



More information about the Gcrypt-devel mailing list