Blowfish standard deviation (PHP/java)?

I

inotocracy

Supreme [H]ardness
Joined
Jul 25, 2004
Messages
5,625
So there is this library in Java, Blowfishj which has a class called BlowfishEasy. It essentially removes any complication from encrypting a string, but it also adds a bit of complexity (and anger) if you have to decrypt this string using a different language since the BlowfishEasy implementation pushes the IV into the front of the encrypted result. The problem is, I have to take some encrypted data generated by BlowfishEasy and decrypt it in a different language, which means a different Blowfish library. Normally this wouldn't be an issue, but since the client is using BlowfishEasy it is. I've tried to pull the IV out of the encrypted string but I'm having NO luck. Any Java gurus here with PHP experience mind helping me out on this?

Here is the blowfisheasy class:

https://opensource.at.northwestern....ce/encryption-src/BlowfishJ/BlowfishEasy.java

On line 107 you'll notice that the IV is randomly generated in the encryption call, and then on line 148 it returns the IV + the result as one string. Now in the decrypt call, on line 169 it calls binHexToBytes which extracts the IV from the encrypted string. The method is near the bottom of this source file:

https://opensource.at.northwestern....ce/encryption-src/BlowfishJ/BinConverter.java

What I want to do is be able to extract that IV from the encrypted string (that was generated by BlowfishEasy) so that I can decrypt it properly in a different library/language. The language I need to do the decryption is in PHP. Any code examples or guides on how to do this would be fan-fuggin-tastick as I'm pulling my hair out here.
 
From the Java side, it could be a small bit of work but you could re implement using the regular Java crypto tools, they really are not that tough to use. Blowfish is actually provided in the standard JDK by the SunJCE.

Use an initialized Cipher together with a CipherOutputStream, pass the string through the stream and on its way to whatever you need to decrypt it. You can use Cipher.getIV() to get the initial vector.

Some code:
(May not be completely correct semantically but this should compile as an example)
Code: 
import java.io.OutputStream;
import java.io.PrintWriter;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import javax.crypto.Cipher;
import javax.crypto.CipherOutputStream;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;


public class Test {

	private Test(){}
	
	/**
	 * @param args
	 */
	public static void main(String[] args){
	    
	    Cipher cipher;
	    Key key;
	    
	 	/* You fill in an outputStream of your choice as the destination.
	 	 * Could be a file, socket, whatever OutputStream you want.
	 	 */
	    OutputStream out = System.out;
	    
	    /* We'll be using regular text as our input */
	    PrintWriter writer;
	    
	    /* The cipher decorator for the outputStream */
	    CipherOutputStream cipherOut;
		try {
			cipher = Cipher.getInstance("Blowfish/ECB/NoPadding");
			
			/* Random Key for example purposes */
			key = KeyGenerator.getInstance("Blowfish").generateKey();
			
			/* Initialize Cipher */
			cipher.init(Cipher.ENCRYPT_MODE, key);
			
			/* Allocate and Initialize cipher stream*/
			cipherOut = new CipherOutputStream(out, cipher);
			
			/* Allocate your writer */
			writer = new PrintWriter(cipherOut);
			
			/* Write your message */
			writer.println("Hello, World!");
			writer.flush();

		} catch (NoSuchAlgorithmException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		} catch (NoSuchPaddingException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}catch (InvalidKeyException e) {
			// TODO Auto-generated catch block
			e.printStackTrace();
		}
	
	}

}
 
Thank you, but the issue is I need to reimplement the IV extraction on the PHP side. The client is using BlowfishEasy in java which does the random IV generation and prefix to the encrypted string. Problem is I need to be able to pull out that IV in PHP so that I can decrypt it properly. :mad:
 
inotocracy said:
Thank you, but the issue is I need to reimplement the IV extraction on the PHP side. The client is using BlowfishEasy in java which does the random IV generation and prefix to the encrypted string. Problem is I need to be able to pull out that IV in PHP so that I can decrypt it properly. :mad:
Click to expand...

My bad, I thought you could opt to not use BlowfishEasy.
 
Unfortunately its not an option, grr.. The funny part is that library references BlowfishCBC (same package) to do the main encrypt calls, which handles IVs fine if you interface directly. VERY frustrating.
 
Solved the issue in case anyone was curious-- after a day of binary string comparisons, the problem related to BlowfishEasy utilizing Unicode in the IV, where as PHP does not support unicode properly so some hacks had to be made to handle it properly.
 
You must log in or register to reply here.
Back
Top