Blowfish encryption between languages and platforms

[Zief]

Hi,

These may not be the correct places to post this message, but since I
am trying to make my Windows Mobile program decrypt strings from a
different PC Delphi program, I thought I'd start off here and if anyone
has any suggestions for posting elsewhere let me know.

Basically I have a Delphi program which is encrypting user passwords
using a blowfish algorithm taken from a free to use module called
LbCipher.pas that was originally used in TurboPower Lockbox (it seems
from the comment on the file, it is not from a project I have done).

This will take the password of "pass" (without the quotes) and return
"EEb+053WU2Q=" using the following lines of code in delphi and the key
shown:

function BlowFishString(UserStr : string) : string;
var
Key128 : TKey128;
begin
GenerateLMDKey(Key128, SizeOf(Key128), '1jkdjmc8743hj3euyd87');
Result := BFEncryptStringEx(UserStr, Key128, True);
end;

On the Windows Mobile side, I found Markus Hahn's page and am using his
BlowfishSimple class in C# to attempt to encrypt/decrypt strings. This
is where the problem appears, it may be a simple fix, but I am not
entirely sure how it all works.
The BlowfishSimple class using the following code:

// create the same key as used in the Delphi program
string tst = "1jkdjmc8743hj3euyd87";

BlowfishSimple test = new BlowfishSimple(tst);
string encrtest = test.Encrypt("pass");
string decr = test.Decrypt(encrtest);

encrtest is much bigger than "EEb+053WU2Q=" but on the last line it
decrypts fine back to "pass".

Does anyone have any idea how I can make the two compatible. Preferably
by changing the BlowfishSimple class in C# rather than the Delphi
program, as the Delphi program has already been rolled out and is in
use and would require much more effort to bring in line with the
Windows Mobile version.

Thanks in advance,
Zief

[danny heijl]

Zief schreef:

> encrtest is much bigger than "EEb+053WU2Q=" but on the last line it
> decrypts fine back to "pass".

blowfishsimple uses an IV and padding so it is normal that the resulting
base64 string grows. I suppose that the Delphi code does not use an IV
and/or padding, which, if true, is not a good thing.

Danny
---

[Mike B]

The LockBox implementation of Blowfish which you are using is known to
produce non-standard results when compared against the test vectors for
Blowfish on the official site.

So you have a problem already, as your Delphi program is in operation.

You will have to make some hard choices unfortunately.

regards
Mike

"Zief" <cante...@thisfakeaddress.com> wrote in message
news:44db0c5a$1...@newsgroups.borland.com...

[madshi (Mathias Rauen)]

FWIW, madCollection contains a free Delphi blowfish
unit which supports both IV and padding and which
is compliant to the blowfish test vectors:

http://help.madshi.net/madCryptUnit.htm
http://madCollection.exe

--
www.madshi.net
high quality low level Delphi components
extended exception handling
API hooking, DLL injection

[Zief]

Thanks for this it will hopefully come in useful.

I am still struggling to get your blowfish routine working with the Blowfish
package for C# made available by Markus Hahn. I am trying to just use the
BlowfishSimple class, with the same key/password as used in your routine.
However, on the C# version, the encrypted string is longer and not the same,
can you give me any advice on this?

Thanks

"madshi (Mathias Rauen)" <de...@no-spam-madshi.net> wrote in message
news:44e0...@newsgroups.borland.com...

[madshi (Mathias Rauen)]

Can you give me the following information:

(1) Which string did you compress with C#?
(2) Which password did you use?
(3) Which IV did you use?
(4) What is the result string?

[Zief]

I was using BlowfishSimple in C#, so this meant I was only using a password
and not an iv, however I discovered that this was creating a different
encryption every time as it was using a random iv.
So I've now adapted the BlowfishSimple class to use the iv:
iv[0] = 13;
iv[1] = 53;
iv[2] = 91;
iv[3] = 128;
iv[4] = 231;
iv[5] = 12;
iv[6] = 210;
iv[7] = 124;

So in C#:
BlowfishSimple test = new BlowfishSimple("1jkdjmc8743hj3euyd87"); // that
is the password
string ftest = test.Encrypt("pass"); // encrypt sets the iv as above
ftest = "DTVbgOcM0nzcf3Q7R8GGnw=="

Using your Blowfish in Delphi....

var
pass, newpass : string;
ivr : Int64Rec;
iv : Int64;
begin
pass := 'pass';
ivr.Bytes[0] := 13;
ivr.Bytes[1] := 53;
ivr.Bytes[2] := 91;
ivr.Bytes[3] := 128;
ivr.Bytes[4] := 231;
ivr.Bytes[5] := 12;
ivr.Bytes[6] := 210;
ivr.Bytes[7] := 124;
iv := ivr.Hi + ivr.Lo;
Encrypt(pass, '1jkdjmc8743hj3euyd87', iv);
newpass := Encode(pass);
end;

newpass = "9oftEmvfI9M="

This is half the size of the one generated by the BlowfishSimple C# class.

Any ideas?

Cheers for the help,
Zief

"madshi (Mathias Rauen)" <de...@no-spam-madshi.net> wrote in message

news:44e2...@newsgroups.borland.com...

[Thorsten Engler [NexusDB]]

Zief wrote:
> So in C#:

> ftest = "DTVbgOcM0nzcf3Q7R8GGnw=="
>
> Using your Blowfish in Delphi....

> newpass = "9oftEmvfI9M="
>
> This is half the size of the one generated by the BlowfishSimple C# class.
>
> Any ideas?

At a guess... C# is using UTF-16 Unicode strings (2 bytes per character)
and Delphi is using ANSI strings (1 byte per character).

Cheers,
Thorsten

[Zief]

AFAIK C# is using UTF-8 strings, I may be wrong. Might this still cause a
problem as opposed to ANSI strings?
The madCrypt Encode function may be different to the Convert.ToBase64String
function that I think may be used in the C# Blowfish class, other than that
it is something to do with the encryption itself.

Zief

"Thorsten Engler [NexusDB]" <thorsten...@SPAMnexusdb.com> wrote in
message news:44e30032$1...@newsgroups.borland.com...

[madshi (Mathias Rauen)]

Yeah, I think Thorsten Engler found the most probable
explanation for the size difference.

However, I tried to get the same output as the C#
stuff by "simulating" using unicode in Delphi, but I
failed. Don't really know what the C# solution does
inside.

Btw, in your code this doesn't work:

iv := ivr.Hi + ivr.Lo;

Please use this instead:

Move(ivr, iv, 8);

[Zief]

Forgive me, it does seem that the difference is that C# is using Unicode
strings, and Delphi Ansi strings.
I have changed the code to use Move(ivr, iv, 8).
I am unsure how to proceed to make the two platforms compatible, does anyone
have any suggestions?

Thanks,
Zief

"madshi (Mathias Rauen)" <de...@no-spam-madshi.net> wrote in message

news:44e3...@newsgroups.borland.com...

[madshi (Mathias Rauen)]

I'd try to make sure that the C# solution really
produces standard results when tested with the
official blowfish test vectors. If it does, I'd
suggest that you do the same test with madCrypt.
If you can get both solutions to successfully
encrypt the test vectors, it should be rather
simple to make them work together.

[jmhil...@gmail.com]

Unfortunately, I was faced with the same problem. The Lockbox component uses a nonstandard blowfish algorithm. I rewrote the c# code freely available from the creator. The lockbox component failed to decrypt using the c# routine provided. . Reading the Pascal code, the implementation is not the blowfish algorithm described on the creators website.

One more problem is the key generation in lockbox uses their block cipher. I am contemplating coding this but it occurred to me that this blowfish implementation may be flawed, I.e., easily broken. Has anyone found any security problems with the lockbox implementation?