How to check which of my products use Blowfish encryption?

Posted on 2016-10-14
Last Modified: 2016-10-15
Refer to attached article.

Besides reading the product manual, is there any way I can verify if my
products has Blowfish enabled & if TwoFish is supported?

Some of encryption tools we use are Checkpoint & McAfee  HDD encryption
(to encrypt laptops & PCs HDDs), Voltage (email encryption), unknown IOS
(for iPhone/iPad) encryption, Winzip (encrypt attachments with password).

Does Veritas Netbackup V7.1 (we do disk to disk/VTL) uses Blowfish
encryption to encrypt the backups?

I suppose this article is not applicable to TLS & SSL encryption or is it?
Or is Blowfish only applicable to encryption of data at rest, not in transit?
Question by:sunhux
  • 3
  • 2
LVL 62

Assisted Solution

btan earned 500 total points
ID: 41843582
You cannot tell by just analyzing the exe or some fuzzy hashing, the crypto algo is supposed to be kept as not public info. You probably can check if you decrypt on a snapshot of the block (of 64 bit) in the encrypted bytes as Blowfish is block cipher based like the use of ECB or CBC that requires that the length is a multiple of the block size. (of course) You need the key. 

It is still safer to based on the Admin guide or configuration files - this identification will requires machine learning tool which can non-trivial and research based. For Veritas Netbackup, you probably can check out the client machine on the following configuration options are in the bp.conf file on UNIX clients (i.e. /usr/openv/netbackup/bp.conf file), and in the registry on Windows clients (ie. HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config). There should be one configuration option on "CRYPT_CIPHER" and if it has value "BF-CFB" then it is 128-bit Blowfish.

In term of block cipher for TLS & SSL encryption, it is not using Blowfish instead more of Triple-DES, and AES but the Blowfish is used as default cipher in OpenVPN (data in transit thru secure channel) . The TLS specification defines a fixed list of possible cypher-suites in Appendix A.5 ( For e.g. the cipher list in the RFC is only RC4, 3DES or AES for the symmetric encryption. Blowfish can still be used for
- data at rest (like use of bcrypt as a file encryption utility implementing Blowfish); or
- data in transit (like use for data encryption during the secure channel setup for OpenVPN or OpenSSH).

Author Comment

ID: 41843676
The products of most concern to me are:

a) Cisco & Nexus : believe they implement OpenSSH in them
b) Nokia Checkpoint & Juniper firewalls : I think I saw one of my
      netadmin colleague ssh into one of them
c) Bluecoat Proxy & Bluecoat MAA : I think they're on Ubuntu Linux
d) Solaris 10 & AIX 7.x : not sure if they're on OpenSSH but they're
     running some sort of SSH server
e) McAfee Drive Encryption : I just could not find any mention of
     Blowfish (or Twofish)  in the product brochure
f) CheckPoint Full Disk Encryption: could not find any mention of
     Blowfish (or Twofish)  in the product brochure too

For items a-d, if I issue "ssh -vvv target_device_IP", will it reveal
if Blowfish or TwoFish are enabled/available for enabling?
LVL 62

Accepted Solution

btan earned 500 total points
ID: 41843715
Yes since you go for verbose mode. Pls see this and note this is using AES instead. For blowfish it should be showing blowfish-cbc for SSH V2
Nov 15 15:11:12 delta sshd[30320]: SSH: Server;Ltype: Version;Remote:;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19
Nov 15 15:11:12 delta sshd[30323]: SSH: Server;Ltype: Kex;Remote:;Enc: aes128-cbc;MAC: hmac-md5;Comp: none
If you are customer to those vendors, do have them to advise too besides doing your own test validations.

Note the preference order
For protocol version 2 cipher_spec is a comma-separated list of ciphers listed in order of preference.  The supported ciphers are
 “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128", “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”.  

The default is

‘‘aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,  aes192-ctr,aes256-ctr’’

You may consider SSH-Audit which may be just be handy for checking out the SSH algorithm, see its feature
grab banner, recognize device or software and operating system, detect compression;

gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;

Author Comment

ID: 41844954

Link above has a list of products that support Twofish (from the developer):
curious if that list is exhaustive ie any product that is not in the above list
do not support Twofish?
LVL 62

Assisted Solution

btan earned 500 total points
ID: 41844985
I will not put my bet that it is comprehensive since it is best effort compilation as author is also a cryptographer. It can still serves as baseline but it did not state the version and date of the system assessed. Note that he stated "Counterpane has not verified that Twofish has been implemented properly, nor have we evaluated the security of these products. ".

The author also listed the product for Blowfish @
Included the NetBackup PureDisk and NetBackup Media Server Deduplication, not version stated though the article stated Publish:October 25, 2015

We cannot be sure but baseline will give higher confidence esp coming from this well known security guru

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Veeam backup Catalog 6 84
mysql Encryption with PHP 8 94
Sophos EC migration to Cloud. 1 84
"Google Drive" not show in "My Files" on Samsung Galaxy Tab A 12 76
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now