Decrypt Blowfish Encrypted File

[Emmaline]

Helloi'm new to Java and i have the following problem: i'm trying to encrypt the password of a user using the blowfish algorithm, but when i try to decrypt it back to check the authentication it fails to decrypt it for some reason.

you are encrypting a password. that means you need to store a key somewhere (you cannot store it in the database or anyone that steals the database will be able to decrypt the passwords). instead, you should use a hash.

even then, you should not store passwords in this way. not even if you use a salt correctly. these days it is too easy to crack simply hashed passwords, even when salted. instead, use the bcrypt library or PBKDF2.

Cleaning up my disk space, I found an encrypted file (*.bfa), which I encrypted with Blowfish Advanced CS (Version 2.13.00.002) about 15 years ago.I still have a copy of the original version of Bfacs, which I used for that encryption and which still seem to run with actual Windows.

Not very surprising, I don't know the password for decryption anymore.I'm sure, back then I just used a normal word, lowercase, with no special characters or numbers.And I'm also sure I used Bfacs with standard configuration.

I just have experience with 'usual' IT-stuff and a little programming with c#, but not at all with hacking encrypted files.I'm sure this is quite no important file, as I didn't miss it for the last 15 years, but it makes me curios and there is always something new to learn ;-)

For a cracking tool (JtR, Hashcat...) to be able to have a go at the file, they need to have support for the specific file format that you are trying to attack (see e.g. how to crack an office document with Hashcat). Now, the very obscure tool you used isn't supported by common tools, so support for it, while likely possible, would take some programming and possibly quite a bit of it. Worst, the product isn't open source nor the format is documented, so some reverse engineering would be involved, doable but again would take some time.

Once that is done, if the password really is a dictionary word decrypting the file is a piece of cake, but you'd be down a few thousands dollars or euros (at least) in custom software development, and lots of time finding the right entity for the job.

We have a LabVIEW (ver. 2011) application where we need to decrypt the password which is already encrypted by a Java application. We downloaded the Blowfish/AES encryption/decryption examples (Crypto-Tools for LabVIEW 2011) from NI community ( -22585) and were trying to use them for the decrypting the password. But the encrypted string (Blowfish/AES) generated by the Java application is different than the one generated by the LabVIEW application. So even if we use the same encryption method (Blowfish/AES), the LabVIEW and Java applications are generating different encrypted (Cyphered Text) strings so that the decryption in LabVIEW doesn't give the desired result. The encryption basically needs an input string (to be encrypted) and a key, decryption needs the encrypted string and the same key used for encryption.

I have used an older piece of code to do the Blowfish encryption. I have attached it. Comparing this code with the code you linked provides different results and the two versions of code cannot decrypt what was encrypted by the other. I have never tried decrypting text which was encrypted using another library but it seems that it is not as standard as one might think.

I have some encrypted data stored in db. The data was encrypted in Java with methods from Cypher class. It can be decrypted in the same way in java (with cipher.init, cipher.doFinal), but I need to decrypt it in sql. So there is way to decrypt the data in sql? For example in stored procedures?

as far as i know, there isn't a native way to do this for SQL Server, unless you count the CLR in 2005. You'd either use that to decrypt it - write something in C#/VB that decrypts using Blowfish - or you could pull it out to a small app or webpage and do it there and then update the rows.

you could give that a try; it may or may not work; for example, My company was using an AES encryption method for certain columns, and even with the same encryption seed, when i was testing the vb6 version we were using to encrypt/decrypt did not procude the same results as the extended stored procedure. named the same, but different in the details, so we ended up centralizing to always use the stored proc instead.

Lowell--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

I tried with the DBA Toolkit, but you're right...The encryption in Java uses the blowfish encryption, I tried the same data to encrypt with the extended stored procedure for blowfish from the toolkit, but the results are not the same...Maybe I'm missing something?

Unfortunately I can't change the way how the data is encrypted in java, they use it for some time and it is very complex...They use a lot of keys to get a final key, and with this final key the data is encrypted with the methods for blowfish algorithm from Cipher class, which is in an extension for java jdk.

So I got this final key and tried to decrypt the data with the extended stored procedures. But it seems that it doesn't work. Maybe I should search or ask in java forums how this methods from Cipher class really work...

I use the -x option in vim to encrypt a file. I read this files much more times than I write to it, so I always use cat and then remember it is encrypted because of what it shows.. So then I have to use vim, enter the password and then exit using :q ..

Is there any way to use cat (or another command, of course passing my password somewhere) and just print/get the contents? Or maybe is there just a vim option that only prints the contents without entering the editor?

As of version 7.3 vim offers strong built in blowfish encryption/decryption, which for certain purposes is more convenient than filtering through gnupg. Unfortunately the resulting files can only be read back by vim which makes it hard to use them in batch processing or scripting. Also longevity of encrypted data is a concern if a program with the dependencies and size of vim is required to unlock it.

Vim's configure system is entirely stripped away which might have broken support for other platforms than the 32 bit i386 linux it was developed on. Since the two relevant files are taken from the vim project unmodified it should be trivial to restore support on other platforms by fixing the vim.h header.

Bruce Schneier of Counterpane Systems developed the Blowfish cipher algorithm. RFC 2451 shows that Blowfish uses key sizes from 40 to 448 bits. The Default size is 128 bits. We will only accept key sizes of 128 bits, because libgrypt only accept this key size. Have a look to for more information. BLOWFISH-CBC uses an IV of 8 octets.

@Kurt Knochner As far as I know it uses a custom binary protocol and every packet is encrypted with Blowfish. SO I guess that you could basically just run the decryption algorithm on the contents of a packet.

The result of encrypt(myText, key, "BLOWFISH", "HEX") gives me a value that I can decrypt just fine in coldfusion, but apparently not the same value as you would get if you ran the same encryption (blowfish, hex) using PHP or Java.

I've tried padding the myText variable with null characters to fill it so the length is a multiple of 8 (have to use URLDecode("%00") instead of char(0) as the null character, since char(0) doesn't actually increase the length of the string). But that doesn't seem to have much of any effect.

If someone can make the result of coldfusion's blowfish encryption match what you get using that tool above I would really appreciate it.

If you're expecting two entirely-unrelated language implementation teams, not only "to come up with compatible implementations" but to continue to do so for (perhaps...?) the next twenty-five years, "it ain't gonna happen."

And you ... or your successor (who is cursing your name posthumously after you had "that very unfortunate with a bread truck") ... might well be stuck with several gigabytes of un-decryptable data. "Don't go there!"

If two applications need to talk to each other in such a way that no one can understand what they are saying, don't attempt a "roll your own" solution. Instead, require that an encrypted secure communication-channel must exist between the two parties ... using proven, commercially available technologies such as VPN or SSL. The information which the two parties send to each other is "in the clear."

Likewise, if you need to store secret data in a database, arrange for the database management system to secure that database on your behalf. Make sure that your connection to the DBMS is likewise "flowing across a secure network channel."

In all of these cases, you have succeeded in removing the obligation for security from your application. You have passed-the-buck to known-good third parties. You have also built your app to rely upon technologies that the IS infrastructure people already know how to manage.

All these languages encrypt data using algorithm=BLOWFISH, mode=ECB, encoding=HEX and produce exactly the same result, so the API accepts it. When I try to do it in CF, it produces a different result, so I cannot post to the API.

If PHP, Java, .NET, Perl and Delphi can come up with compatible implementations of Blowfish, why can't Coldfusion? Coldfusion is obviously the outlier, and is doing something different from the "standard" implementation of this encryption method - I'm trying to understand what that difference is, and if I can somehow bring it in line with the rest of the world.

3a8082e126