How to check which of my products use Blowfish encryption?

Posted on 2016-10-14
Last Modified: 2016-10-15
Refer to attached article.

Besides reading the product manual, is there any way I can verify if my
products has Blowfish enabled & if TwoFish is supported?

Some of encryption tools we use are Checkpoint & McAfee  HDD encryption
(to encrypt laptops & PCs HDDs), Voltage (email encryption), unknown IOS
(for iPhone/iPad) encryption, Winzip (encrypt attachments with password).

Does Veritas Netbackup V7.1 (we do disk to disk/VTL) uses Blowfish
encryption to encrypt the backups?

I suppose this article is not applicable to TLS & SSL encryption or is it?
Or is Blowfish only applicable to encryption of data at rest, not in transit?
Question by:sunhux
  • 3
  • 2
LVL 63

Assisted Solution

btan earned 500 total points
ID: 41843582
You cannot tell by just analyzing the exe or some fuzzy hashing, the crypto algo is supposed to be kept as not public info. You probably can check if you decrypt on a snapshot of the block (of 64 bit) in the encrypted bytes as Blowfish is block cipher based like the use of ECB or CBC that requires that the length is a multiple of the block size. (of course) You need the key. 

It is still safer to based on the Admin guide or configuration files - this identification will requires machine learning tool which can non-trivial and research based. For Veritas Netbackup, you probably can check out the client machine on the following configuration options are in the bp.conf file on UNIX clients (i.e. /usr/openv/netbackup/bp.conf file), and in the registry on Windows clients (ie. HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config). There should be one configuration option on "CRYPT_CIPHER" and if it has value "BF-CFB" then it is 128-bit Blowfish.

In term of block cipher for TLS & SSL encryption, it is not using Blowfish instead more of Triple-DES, and AES but the Blowfish is used as default cipher in OpenVPN (data in transit thru secure channel) . The TLS specification defines a fixed list of possible cypher-suites in Appendix A.5 ( For e.g. the cipher list in the RFC is only RC4, 3DES or AES for the symmetric encryption. Blowfish can still be used for
- data at rest (like use of bcrypt as a file encryption utility implementing Blowfish); or
- data in transit (like use for data encryption during the secure channel setup for OpenVPN or OpenSSH).

Author Comment

ID: 41843676
The products of most concern to me are:

a) Cisco & Nexus : believe they implement OpenSSH in them
b) Nokia Checkpoint & Juniper firewalls : I think I saw one of my
      netadmin colleague ssh into one of them
c) Bluecoat Proxy & Bluecoat MAA : I think they're on Ubuntu Linux
d) Solaris 10 & AIX 7.x : not sure if they're on OpenSSH but they're
     running some sort of SSH server
e) McAfee Drive Encryption : I just could not find any mention of
     Blowfish (or Twofish)  in the product brochure
f) CheckPoint Full Disk Encryption: could not find any mention of
     Blowfish (or Twofish)  in the product brochure too

For items a-d, if I issue "ssh -vvv target_device_IP", will it reveal
if Blowfish or TwoFish are enabled/available for enabling?
LVL 63

Accepted Solution

btan earned 500 total points
ID: 41843715
Yes since you go for verbose mode. Pls see this and note this is using AES instead. For blowfish it should be showing blowfish-cbc for SSH V2
Nov 15 15:11:12 delta sshd[30320]: SSH: Server;Ltype: Version;Remote:;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19
Nov 15 15:11:12 delta sshd[30323]: SSH: Server;Ltype: Kex;Remote:;Enc: aes128-cbc;MAC: hmac-md5;Comp: none
If you are customer to those vendors, do have them to advise too besides doing your own test validations.

Note the preference order
For protocol version 2 cipher_spec is a comma-separated list of ciphers listed in order of preference.  The supported ciphers are
 “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128", “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”.  

The default is

‘‘aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,  aes192-ctr,aes256-ctr’’

You may consider SSH-Audit which may be just be handy for checking out the SSH algorithm, see its feature
grab banner, recognize device or software and operating system, detect compression;

gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;

Author Comment

ID: 41844954

Link above has a list of products that support Twofish (from the developer):
curious if that list is exhaustive ie any product that is not in the above list
do not support Twofish?
LVL 63

Assisted Solution

btan earned 500 total points
ID: 41844985
I will not put my bet that it is comprehensive since it is best effort compilation as author is also a cryptographer. It can still serves as baseline but it did not state the version and date of the system assessed. Note that he stated "Counterpane has not verified that Twofish has been implemented properly, nor have we evaluated the security of these products. ".

The author also listed the product for Blowfish @
Included the NetBackup PureDisk and NetBackup Media Server Deduplication, not version stated though the article stated Publish:October 25, 2015

We cannot be sure but baseline will give higher confidence esp coming from this well known security guru

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question