Cliff Spradlin

2006-03-15 13:49:02 UTC

I was consulting for a client who has an application that uses uses the

Blowfish algorithm. They were having trouble getting files saved with

it to interoperate with another program that uses it as well.

What I found was that their Feistel round function is quite...bizarre.

This is the what they had:

unsigned int F(BLOWFISH_CTX *ctx, unsigned int x) {

unsigned short a, b, c, d;

unsigned int y, z;

d = (unsigned short)(x & 0xFF);

x >>= 8;

c = (unsigned short)(x & 0xFF);

x >>= 8;

b = (unsigned short)(x & 0xFF);

x >>= 8;

a = (unsigned short)(x & 0xFF);

z = ctx->S[3][a];

y = ctx->S[1][c];

z &= 1;

y &= 1;

z ^= 32;

y ^= 32;

y += z;

y += ctx->S[2][b];

y += ctx->S[0][d];

return y;

}

The "real" one looks like this:

static unsigned int RealF(BLOWFISH_CTX *ctx, unsigned int x) {

unsigned short a, b, c, d;

unsigned int y;

d = (unsigned short)(x & 0xFF);

x >>= 8;

c = (unsigned short)(x & 0xFF);

x >>= 8;

b = (unsigned short)(x & 0xFF);

x >>= 8;

a = (unsigned short)(x & 0xFF);

y = ctx->S[0][a] + ctx->S[1][b];

y = y ^ ctx->S[2][c];

y = y + ctx->S[3][d];

return y;

}

Noone could remember who did this or why. My best guess is someone

thought that making the algorithm a little more proprietary would make

it secure, but they ended up ruining it. As you can see, once of the

differences is that most of the data of the s-box is thrown out since

they AND it with 1, and then they XOR that with 32 (which obviously

does nothing ever). Everything other than this function is the same as

the Blowfish spec.

Now, I honestly haven't worked out the exact math behind the Feistel

rounds and the permutation/substitution boxes and such. What I was

wondering is, obvious coding flaws aside, does this make the algorithm

less secure? It would seem to be much less secure as this affects both

the initial key generation as well as encryption/decryption. It seems

like this would possibly expose the key a little in the ciphertext. If

anyone has any thoughts, I'm very interested. I'd like to understand

this stuff better.

-Cliff Spradlin

Blowfish algorithm. They were having trouble getting files saved with

it to interoperate with another program that uses it as well.

What I found was that their Feistel round function is quite...bizarre.

This is the what they had:

unsigned int F(BLOWFISH_CTX *ctx, unsigned int x) {

unsigned short a, b, c, d;

unsigned int y, z;

d = (unsigned short)(x & 0xFF);

x >>= 8;

c = (unsigned short)(x & 0xFF);

x >>= 8;

b = (unsigned short)(x & 0xFF);

x >>= 8;

a = (unsigned short)(x & 0xFF);

z = ctx->S[3][a];

y = ctx->S[1][c];

z &= 1;

y &= 1;

z ^= 32;

y ^= 32;

y += z;

y += ctx->S[2][b];

y += ctx->S[0][d];

return y;

}

The "real" one looks like this:

static unsigned int RealF(BLOWFISH_CTX *ctx, unsigned int x) {

unsigned short a, b, c, d;

unsigned int y;

d = (unsigned short)(x & 0xFF);

x >>= 8;

c = (unsigned short)(x & 0xFF);

x >>= 8;

b = (unsigned short)(x & 0xFF);

x >>= 8;

a = (unsigned short)(x & 0xFF);

y = ctx->S[0][a] + ctx->S[1][b];

y = y ^ ctx->S[2][c];

y = y + ctx->S[3][d];

return y;

}

Noone could remember who did this or why. My best guess is someone

thought that making the algorithm a little more proprietary would make

it secure, but they ended up ruining it. As you can see, once of the

differences is that most of the data of the s-box is thrown out since

they AND it with 1, and then they XOR that with 32 (which obviously

does nothing ever). Everything other than this function is the same as

the Blowfish spec.

Now, I honestly haven't worked out the exact math behind the Feistel

rounds and the permutation/substitution boxes and such. What I was

wondering is, obvious coding flaws aside, does this make the algorithm

less secure? It would seem to be much less secure as this affects both

the initial key generation as well as encryption/decryption. It seems

like this would possibly expose the key a little in the ciphertext. If

anyone has any thoughts, I'm very interested. I'd like to understand

this stuff better.

-Cliff Spradlin