In this paper we are performencryption using blowfish algorithm using salt and we . The blowfish algorithmis used for encryption of the data and it converts a 64 bit block of input to a64 bit cypher text. This conversion is done by the use of a key which is of predefinedlength of 32-448 bits.
Normally the basic algorithm consists of 16 rounds in asingle process, but to reduce the time of the conversion and password matchingwe are proposing to use only 10 rounds in the conversion of data to cyphertext. This is very minor change but the actual impact of saving 6 rounds ishuge. This will make the process faster and it will still be unbreakable. This decision is made on theexperimental basis as it is defined that the number of rounds increases thesecurity and the level of security but only up to certain level. After thethreshold number of rounds is completed, it does not depend on how many roundsare made after the last round.
It will only increase the time it will require toencrypt the data and the feasibility will be decreased. If we only use thethreshold number of rounds, it will be time efficient without compromising thesecurity of the algorithm.So we are proposing the use of 10rounds in the algorithm. It will save 6 rounds for every time the user tries toregister to the website or he tries to login into the website. This will be forall the users. It will save the server processing time.
The benefit of thisalgorithm depends on the number of users present in the company’s database. If theusers are less, then the benefit will be quiet low but on the other hand if thenumber of users will be more than the benefit will be fairly high. Another approach we are proposingis the use of salt in the password before the encryption. The password isusually of a limited length of 10-15 characters. We have proposed to add astatic salt of 22 characters so that we can ensure the safety of all the otherclients if one of the passwords is able to be broken. If a malice user is ableto break any one of the user’s password, it will have a lot of probability thatit will be able to generate a pattern to crack all the passwords by generatinga key and the security of all the users will be at a risk then.This problem can be prevented bythe help of this salt.
We can use a string of a particular length that will bekept secret and will be prevented to be accessed by anyone other than authorizedpeople. This salt will be added to the password entered by the user and thisconcatenated string will be used for the encryption. The cypher text generatedby this concatenated string will be stored in the database and this will beused to authorize the user when he/she tries to login to the website.The secrecy of this salt will be aconcern. It should be kept secret with the company as user’s security will be dependingon this. If the malice user or any user other than the authorized one gets theaccess of this salt string, then he can make it public and then all thepasswords of the users will be at a risk.
The prevention will require companyto generate hashed password for every user once again. The security of the new saltwill also be needed to be kept in mind. It should again be accessed by the authorizedpersonnel only. The length of the salt will beanother concern. If it is too long and it increases the length of the total passwordmore than 64 bits, then it will be great issue.
As we know that the blowfishwill be converting only 64 bit block on a single core, so, if the length of thepassword is greater than 64 bits, then it will require one more cycle of theblowfish to produce the cypher text which will increase the processing time bytwo fold. Then the blowfish will require more cycles per match. Every matchwill increase the time and it will decrease the response time of the users. Thiswill decrease the user experience.So the length of thesalt should be such that it does not increase the length of the totalconcatenated string to be more than 64 bits. We propose a length of 22 chars. Thiswill be a fairly good length for making the website secure and encryption andmatching fast.
So, at last the conclusion is the use of 10 rounds and 22character salt. These two measures will make the implementation of the blowfishfast and more secure at the same time.Blowfish is an encryption algorithm that was made toovercome the disadvantages of DES.
It was published in 1993. It is over twodecades from now that it was published, but now also it is one of the mostpopular algorithms to be used now-a-days also. This is due to the reason thatit produces a good quality cipher text which is nearly impossible to break. Theuser has the liberty to choose the length of the key from 32 bit to 448 bit.The more the number of the bits the user will use, the lower will be the chanceof the algorithm to be broken. The only thing that the blowfish demands is theprotection of the key from all the malice users. It is implemented on 64 bitblock at a single time.
This is the input of the algorithm. This can be apassword, text file or any other type of data. It depends on the user what itwants to be encrypted.
This is the only thing that changes the cipher text ifthe key is not changed.The use of blowfish is easy and very secure. Almostall the programming languages used now-a-days have predefined implementation ofblowfish. The blowfish is a patent free algorithm and anyone can use it withoutany restrictions. This algorithm is easy to be modified and very easy to defineit for your personal use. As most of the algorithms present are patented bysome or the other agency, it is very important to have at least one algorithmthat is available to be used by anyone and is open for all. As it is notpatented it doesn’t mean that will be easy to break and will be very easy tocompromise anyone that uses this algorithm.
Every user can define an algorithmthat is comfortable to his/her application.One of the most important uses of blowfish is in thepassword management of websites. It is very useful and secure to use blowfishfor this purpose. The blowfish generates a cypher text which is a hashed outputof the plain text and the key that is defined at a single time. The blowfishgenerates the cypher text after 16 iterations in a particular way. This isdefined in the algorithm definition.
This process will produce intermediatetext. After this process sub key 17th and sub key 18thare used to produce the final output from the above produced intermediate text.Once this cypher text of 64 bit length is produced,it is saved in the database. No other information about the password is savedby the company. This is what enables transparency. The admin who has the accessto the user data and who is able to read the password, name, email and otherinformation of the user by accessing the database, will only be able to see thehashed password in the database. The hashed password will be of 64 bit and itwill give no clue to the admin about the password or the length of thepassword. This will make the user feel secure as its password is never saved bythe company’s database and it is always better to avoid trusting anyone in sucha case.
So, now the password is not saved in the databaseand only the hashed password is saved by the company. So it will raise athought in the mind of everyone that how will the user be allowed to login andbe authorised afterword when he demands to login into his account. This is done by avoiding the decryption. The simpletechnique used is to encrypt what user types in the password box again duringlogin and to pass it through the same process again and to allow it to producea cypher text.
This cypher text is what is produced by the user during thelogin trial. It will be 64 bit cypher text or hashed password in this case too.Now to allow a user to login into his account, the user must be authorised. Theuser will be authorised if the cypher text produced during the login time issame as the cypher text stored in the database. If the hashed passwords aresame, then the user must have entered a correct password, then only it wouldhave produced the same cypher text.Now, someone can argue that during the practical useof an algorithm a particular cypher text can also be produced by two differentinputs. But talking in terms of the same cypher text to be produced by two differentinputs can have a very minute or zero per cent possibility in most of thecases.
So, finding any other input to produce the same cypher text isultimately impossible. The impossibility factor increases as differentwebsites will use different keys of different lengths and will make the guessof the key more uncertain and more difficult. The impossibility to crack thepassword can be increased by introducing the static salt by the website. This salt is a string defined by the website andwill be added to the password entered by the user before the encryption starts.The encryption will produce a cypher text with more uncertainty and will givethe website one more advantage. The advantage that salt will provide is,whenever by some chance a malicious user is able to crack a password of aparticular user, it will not be able to produce a pattern out of this.
He willnot be able to make a pattern as he will not get the value of the salt. If thesalt is unknown, then it will be completely impossible for the malicious userto crack one more password by the use of previous one.The only care that the website will have to make isto keep the salt safe from each and every person and it should be unknown toeveryone except the most senior people of the company. These people should notreveal this salt in front of anyone.
It should be kept safe from everyone. Thisimpossibility makes our algorithm secure from being broken. It gives thecomplete guarantee that a malicious user will not be able to find the correctpassword by seeing the value present in the database.Another approach that can be used is to use a randomor dynamic salt of certain length that will be produced for each and every userindividually. This will be produced during the signup phase of the user andthis salt will have to be stored in the database of the company for each andevery user along with other login details. During the login attempt, the saltwill be fetched from the database for a particular username and it will beadded to the password of the user and then the cypher will be produced for thatcomplete string.
Then the further process will be same as before.When the new user will be added a new random saltwill be produced and be saved for him. This will make the cracking of the passwordcompletely impossible as the malicious user will have to know the password andthe particular cypher text of each and every individual to crack the website.This is impossible to be done.
This approach is out of our scope and we leavethis for future studies.