In this paper we are perform
encryption using blowfish algorithm using salt and we . The blowfish algorithm
is used for encryption of the data and it converts a 64 bit block of input to a
64 bit cypher text. This conversion is done by the use of a key which is of predefined
length of 32-448 bits. Normally the basic algorithm consists of 16 rounds in a
single process, but to reduce the time of the conversion and password matching
we are proposing to use only 10 rounds in the conversion of data to cypher
text. This is very minor change but the actual impact of saving 6 rounds is
huge. This will make the process faster and it will still be unbreakable.
This decision is made on the
experimental basis as it is defined that the number of rounds increases the
security and the level of security but only up to certain level. After the
threshold number of rounds is completed, it does not depend on how many rounds
are made after the last round. It will only increase the time it will require to
encrypt the data and the feasibility will be decreased. If we only use the
threshold number of rounds, it will be time efficient without compromising the
security of the algorithm.
So we are proposing the use of 10
rounds in the algorithm. It will save 6 rounds for every time the user tries to
register to the website or he tries to login into the website. This will be for
all the users. It will save the server processing time. The benefit of this
algorithm depends on the number of users present in the company’s database. If the
users are less, then the benefit will be quiet low but on the other hand if the
number of users will be more than the benefit will be fairly high.
Another approach we are proposing
is the use of salt in the password before the encryption. The password is
usually of a limited length of 10-15 characters. We have proposed to add a
static salt of 22 characters so that we can ensure the safety of all the other
clients if one of the passwords is able to be broken. If a malice user is able
to break any one of the user’s password, it will have a lot of probability that
it will be able to generate a pattern to crack all the passwords by generating
a key and the security of all the users will be at a risk then.
This problem can be prevented by
the help of this salt. We can use a string of a particular length that will be
kept secret and will be prevented to be accessed by anyone other than authorized
people. This salt will be added to the password entered by the user and this
concatenated string will be used for the encryption. The cypher text generated
by this concatenated string will be stored in the database and this will be
used to authorize the user when he/she tries to login to the website.
The secrecy of this salt will be a
concern. It should be kept secret with the company as user’s security will be depending
on this. If the malice user or any user other than the authorized one gets the
access of this salt string, then he can make it public and then all the
passwords of the users will be at a risk. The prevention will require company
to generate hashed password for every user once again. The security of the new salt
will also be needed to be kept in mind. It should again be accessed by the authorized
The length of the salt will be
another concern. If it is too long and it increases the length of the total password
more than 64 bits, then it will be great issue. As we know that the blowfish
will be converting only 64 bit block on a single core, so, if the length of the
password is greater than 64 bits, then it will require one more cycle of the
blowfish to produce the cypher text which will increase the processing time by
two fold. Then the blowfish will require more cycles per match. Every match
will increase the time and it will decrease the response time of the users. This
will decrease the user experience.
So the length of the
salt should be such that it does not increase the length of the total
concatenated string to be more than 64 bits. We propose a length of 22 chars. This
will be a fairly good length for making the website secure and encryption and
matching fast. So, at last the conclusion is the use of 10 rounds and 22
character salt. These two measures will make the implementation of the blowfish
fast and more secure at the same time.Blowfish is an encryption algorithm that was made to
overcome the disadvantages of DES. It was published in 1993. It is over two
decades from now that it was published, but now also it is one of the most
popular algorithms to be used now-a-days also. This is due to the reason that
it produces a good quality cipher text which is nearly impossible to break. The
user has the liberty to choose the length of the key from 32 bit to 448 bit.
The more the number of the bits the user will use, the lower will be the chance
of the algorithm to be broken. The only thing that the blowfish demands is the
protection of the key from all the malice users. It is implemented on 64 bit
block at a single time. This is the input of the algorithm. This can be a
password, text file or any other type of data. It depends on the user what it
wants to be encrypted. This is the only thing that changes the cipher text if
the key is not changed.
The use of blowfish is easy and very secure. Almost
all the programming languages used now-a-days have predefined implementation of
blowfish. The blowfish is a patent free algorithm and anyone can use it without
any restrictions. This algorithm is easy to be modified and very easy to define
it for your personal use. As most of the algorithms present are patented by
some or the other agency, it is very important to have at least one algorithm
that is available to be used by anyone and is open for all. As it is not
patented it doesn’t mean that will be easy to break and will be very easy to
compromise anyone that uses this algorithm. Every user can define an algorithm
that is comfortable to his/her application.
One of the most important uses of blowfish is in the
password management of websites. It is very useful and secure to use blowfish
for this purpose. The blowfish generates a cypher text which is a hashed output
of the plain text and the key that is defined at a single time. The blowfish
generates the cypher text after 16 iterations in a particular way. This is
defined in the algorithm definition. This process will produce intermediate
text. After this process sub key 17th and sub key 18th
are used to produce the final output from the above produced intermediate text.
Once this cypher text of 64 bit length is produced,
it is saved in the database. No other information about the password is saved
by the company. This is what enables transparency. The admin who has the access
to the user data and who is able to read the password, name, email and other
information of the user by accessing the database, will only be able to see the
hashed password in the database. The hashed password will be of 64 bit and it
will give no clue to the admin about the password or the length of the
password. This will make the user feel secure as its password is never saved by
the company’s database and it is always better to avoid trusting anyone in such
So, now the password is not saved in the database
and only the hashed password is saved by the company. So it will raise a
thought in the mind of everyone that how will the user be allowed to login and
be authorised afterword when he demands to login into his account.
This is done by avoiding the decryption. The simple
technique used is to encrypt what user types in the password box again during
login and to pass it through the same process again and to allow it to produce
a cypher text. This cypher text is what is produced by the user during the
login trial. It will be 64 bit cypher text or hashed password in this case too.
Now to allow a user to login into his account, the user must be authorised. The
user will be authorised if the cypher text produced during the login time is
same as the cypher text stored in the database. If the hashed passwords are
same, then the user must have entered a correct password, then only it would
have produced the same cypher text.
Now, someone can argue that during the practical use
of an algorithm a particular cypher text can also be produced by two different
inputs. But talking in terms of the same cypher text to be produced by two different
inputs can have a very minute or zero per cent possibility in most of the
cases. So, finding any other input to produce the same cypher text is
The impossibility factor increases as different
websites will use different keys of different lengths and will make the guess
of the key more uncertain and more difficult. The impossibility to crack the
password can be increased by introducing the static salt by the website.
This salt is a string defined by the website and
will be added to the password entered by the user before the encryption starts.
The encryption will produce a cypher text with more uncertainty and will give
the website one more advantage. The advantage that salt will provide is,
whenever by some chance a malicious user is able to crack a password of a
particular user, it will not be able to produce a pattern out of this. He will
not be able to make a pattern as he will not get the value of the salt. If the
salt is unknown, then it will be completely impossible for the malicious user
to crack one more password by the use of previous one.
The only care that the website will have to make is
to keep the salt safe from each and every person and it should be unknown to
everyone except the most senior people of the company. These people should not
reveal this salt in front of anyone. It should be kept safe from everyone. This
impossibility makes our algorithm secure from being broken. It gives the
complete guarantee that a malicious user will not be able to find the correct
password by seeing the value present in the database.
Another approach that can be used is to use a random
or dynamic salt of certain length that will be produced for each and every user
individually. This will be produced during the signup phase of the user and
this salt will have to be stored in the database of the company for each and
every user along with other login details. During the login attempt, the salt
will be fetched from the database for a particular username and it will be
added to the password of the user and then the cypher will be produced for that
complete string. Then the further process will be same as before.
When the new user will be added a new random salt
will be produced and be saved for him. This will make the cracking of the password
completely impossible as the malicious user will have to know the password and
the particular cypher text of each and every individual to crack the website.
This is impossible to be done. This approach is out of our scope and we leave
this for future studies.