Solved

How to check which of my products use Blowfish encryption?

Posted on 2016-10-14
5
55 Views
Last Modified: 2016-10-15
Refer to attached article.

Besides reading the product manual, is there any way I can verify if my
products has Blowfish enabled & if TwoFish is supported?

Some of encryption tools we use are Checkpoint & McAfee  HDD encryption
(to encrypt laptops & PCs HDDs), Voltage (email encryption), unknown IOS
(for iPhone/iPad) encryption, Winzip (encrypt attachments with password).

Does Veritas Netbackup V7.1 (we do disk to disk/VTL) uses Blowfish
encryption to encrypt the backups?

I suppose this article is not applicable to TLS & SSL encryption or is it?
Or is Blowfish only applicable to encryption of data at rest, not in transit?
BlwFshEncryptn.docx
0
Comment
Question by:sunhux
  • 3
  • 2
5 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 41843582
You cannot tell by just analyzing the exe or some fuzzy hashing, the crypto algo is supposed to be kept as not public info. You probably can check if you decrypt on a snapshot of the block (of 64 bit) in the encrypted bytes as Blowfish is block cipher based like the use of ECB or CBC that requires that the length is a multiple of the block size. (of course) You need the key. http://tripledes.online-domain-tools.com/  

It is still safer to based on the Admin guide or configuration files - this identification will requires machine learning tool which can non-trivial and research based. For Veritas Netbackup, you probably can check out the client machine on the following configuration options are in the bp.conf file on UNIX clients (i.e. /usr/openv/netbackup/bp.conf file), and in the registry on Windows clients (ie. HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config). There should be one configuration option on "CRYPT_CIPHER" and if it has value "BF-CFB" then it is 128-bit Blowfish.

In term of block cipher for TLS & SSL encryption, it is not using Blowfish instead more of Triple-DES, and AES but the Blowfish is used as default cipher in OpenVPN (data in transit thru secure channel) . The TLS specification defines a fixed list of possible cypher-suites in Appendix A.5 (https://tools.ietf.org/html/rfc5246#appendix-A.5). For e.g. the cipher list in the RFC is only RC4, 3DES or AES for the symmetric encryption. Blowfish can still be used for
- data at rest (like use of bcrypt as a file encryption utility implementing Blowfish); or
- data in transit (like use for data encryption during the secure channel setup for OpenVPN or OpenSSH).
0
 

Author Comment

by:sunhux
ID: 41843676
The products of most concern to me are:

a) Cisco & Nexus : believe they implement OpenSSH in them
b) Nokia Checkpoint & Juniper firewalls : I think I saw one of my
      netadmin colleague ssh into one of them
c) Bluecoat Proxy & Bluecoat MAA : I think they're on Ubuntu Linux
d) Solaris 10 & AIX 7.x : not sure if they're on OpenSSH but they're
     running some sort of SSH server
e) McAfee Drive Encryption : I just could not find any mention of
     Blowfish (or Twofish)  in the product brochure
f) CheckPoint Full Disk Encryption: could not find any mention of
     Blowfish (or Twofish)  in the product brochure too

For items a-d, if I issue "ssh -vvv target_device_IP", will it reveal
if Blowfish or TwoFish are enabled/available for enabling?
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41843715
Yes since you go for verbose mode. Pls see this and note this is using AES instead. For blowfish it should be showing blowfish-cbc for SSH V2
Nov 15 15:11:12 delta sshd[30320]: SSH: Server;Ltype: Version;Remote: 130.59.1.1-38262;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19
Nov 15 15:11:12 delta sshd[30323]: SSH: Server;Ltype: Kex;Remote: 130.59.1.1-38262;Enc: aes128-cbc;MAC: hmac-md5;Comp: none
If you are customer to those vendors, do have them to advise too besides doing your own test validations.

Note the preference order
For protocol version 2 cipher_spec is a comma-separated list of ciphers listed in order of preference.  The supported ciphers are
 “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128", “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”.  

The default is

‘‘aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,  aes192-ctr,aes256-ctr’’
http://linuxcommand.org/man_pages/ssh1.html

You may consider SSH-Audit which may be just be handy for checking out the SSH algorithm, see its feature
grab banner, recognize device or software and operating system, detect compression;


gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;
https://github.com/arthepsy/ssh-audit
0
 

Author Comment

by:sunhux
ID: 41844954
https://www.schneier.com/academic/twofish/products.html

Link above has a list of products that support Twofish (from the developer):
curious if that list is exhaustive ie any product that is not in the above list
do not support Twofish?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 41844985
I will not put my bet that it is comprehensive since it is best effort compilation as author is also a cryptographer. It can still serves as baseline but it did not state the version and date of the system assessed. Note that he stated "Counterpane has not verified that Twofish has been implemented properly, nor have we evaluated the security of these products. ".

The author also listed the product for Blowfish @ https://www.schneier.com/academic/blowfish/products.html
Included the NetBackup PureDisk and NetBackup Media Server Deduplication, not version stated though the article stated Publish:October 25, 2015

We cannot be sure but baseline will give higher confidence esp coming from this well known security guru
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now