[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


How to check which of my products use Blowfish encryption?

Posted on 2016-10-14
Medium Priority
Last Modified: 2016-10-15
Refer to attached article.

Besides reading the product manual, is there any way I can verify if my
products has Blowfish enabled & if TwoFish is supported?

Some of encryption tools we use are Checkpoint & McAfee  HDD encryption
(to encrypt laptops & PCs HDDs), Voltage (email encryption), unknown IOS
(for iPhone/iPad) encryption, Winzip (encrypt attachments with password).

Does Veritas Netbackup V7.1 (we do disk to disk/VTL) uses Blowfish
encryption to encrypt the backups?

I suppose this article is not applicable to TLS & SSL encryption or is it?
Or is Blowfish only applicable to encryption of data at rest, not in transit?
Question by:sunhux
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 65

Assisted Solution

btan earned 2000 total points
ID: 41843582
You cannot tell by just analyzing the exe or some fuzzy hashing, the crypto algo is supposed to be kept as not public info. You probably can check if you decrypt on a snapshot of the block (of 64 bit) in the encrypted bytes as Blowfish is block cipher based like the use of ECB or CBC that requires that the length is a multiple of the block size. (of course) You need the key. http://tripledes.online-domain-tools.com/ 

It is still safer to based on the Admin guide or configuration files - this identification will requires machine learning tool which can non-trivial and research based. For Veritas Netbackup, you probably can check out the client machine on the following configuration options are in the bp.conf file on UNIX clients (i.e. /usr/openv/netbackup/bp.conf file), and in the registry on Windows clients (ie. HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config). There should be one configuration option on "CRYPT_CIPHER" and if it has value "BF-CFB" then it is 128-bit Blowfish.

In term of block cipher for TLS & SSL encryption, it is not using Blowfish instead more of Triple-DES, and AES but the Blowfish is used as default cipher in OpenVPN (data in transit thru secure channel) . The TLS specification defines a fixed list of possible cypher-suites in Appendix A.5 (https://tools.ietf.org/html/rfc5246#appendix-A.5). For e.g. the cipher list in the RFC is only RC4, 3DES or AES for the symmetric encryption. Blowfish can still be used for
- data at rest (like use of bcrypt as a file encryption utility implementing Blowfish); or
- data in transit (like use for data encryption during the secure channel setup for OpenVPN or OpenSSH).

Author Comment

ID: 41843676
The products of most concern to me are:

a) Cisco & Nexus : believe they implement OpenSSH in them
b) Nokia Checkpoint & Juniper firewalls : I think I saw one of my
      netadmin colleague ssh into one of them
c) Bluecoat Proxy & Bluecoat MAA : I think they're on Ubuntu Linux
d) Solaris 10 & AIX 7.x : not sure if they're on OpenSSH but they're
     running some sort of SSH server
e) McAfee Drive Encryption : I just could not find any mention of
     Blowfish (or Twofish)  in the product brochure
f) CheckPoint Full Disk Encryption: could not find any mention of
     Blowfish (or Twofish)  in the product brochure too

For items a-d, if I issue "ssh -vvv target_device_IP", will it reveal
if Blowfish or TwoFish are enabled/available for enabling?
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 41843715
Yes since you go for verbose mode. Pls see this and note this is using AES instead. For blowfish it should be showing blowfish-cbc for SSH V2
Nov 15 15:11:12 delta sshd[30320]: SSH: Server;Ltype: Version;Remote:;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19
Nov 15 15:11:12 delta sshd[30323]: SSH: Server;Ltype: Kex;Remote:;Enc: aes128-cbc;MAC: hmac-md5;Comp: none
If you are customer to those vendors, do have them to advise too besides doing your own test validations.

Note the preference order
For protocol version 2 cipher_spec is a comma-separated list of ciphers listed in order of preference.  The supported ciphers are
 “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128", “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”.  

The default is

‘‘aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,  aes192-ctr,aes256-ctr’’

You may consider SSH-Audit which may be just be handy for checking out the SSH algorithm, see its feature
grab banner, recognize device or software and operating system, detect compression;

gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;

Author Comment

ID: 41844954

Link above has a list of products that support Twofish (from the developer):
curious if that list is exhaustive ie any product that is not in the above list
do not support Twofish?
LVL 65

Assisted Solution

btan earned 2000 total points
ID: 41844985
I will not put my bet that it is comprehensive since it is best effort compilation as author is also a cryptographer. It can still serves as baseline but it did not state the version and date of the system assessed. Note that he stated "Counterpane has not verified that Twofish has been implemented properly, nor have we evaluated the security of these products. ".

The author also listed the product for Blowfish @ https://www.schneier.com/academic/blowfish/products.html
Included the NetBackup PureDisk and NetBackup Media Server Deduplication, not version stated though the article stated Publish:October 25, 2015

We cannot be sure but baseline will give higher confidence esp coming from this well known security guru

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question