[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

How to check which of my products use Blowfish encryption?

Refer to attached article.

Besides reading the product manual, is there any way I can verify if my
products has Blowfish enabled & if TwoFish is supported?

Some of encryption tools we use are Checkpoint & McAfee  HDD encryption
(to encrypt laptops & PCs HDDs), Voltage (email encryption), unknown IOS
(for iPhone/iPad) encryption, Winzip (encrypt attachments with password).

Does Veritas Netbackup V7.1 (we do disk to disk/VTL) uses Blowfish
encryption to encrypt the backups?

I suppose this article is not applicable to TLS & SSL encryption or is it?
Or is Blowfish only applicable to encryption of data at rest, not in transit?
BlwFshEncryptn.docx
0
sunhux
Asked:
sunhux
  • 3
  • 2
3 Solutions
 
btanExec ConsultantCommented:
You cannot tell by just analyzing the exe or some fuzzy hashing, the crypto algo is supposed to be kept as not public info. You probably can check if you decrypt on a snapshot of the block (of 64 bit) in the encrypted bytes as Blowfish is block cipher based like the use of ECB or CBC that requires that the length is a multiple of the block size. (of course) You need the key. http://tripledes.online-domain-tools.com/ 

It is still safer to based on the Admin guide or configuration files - this identification will requires machine learning tool which can non-trivial and research based. For Veritas Netbackup, you probably can check out the client machine on the following configuration options are in the bp.conf file on UNIX clients (i.e. /usr/openv/netbackup/bp.conf file), and in the registry on Windows clients (ie. HKEY_LOCAL_MACHINE\SOFTWARE\Veritas\NetBackup\CurrentVersion\Config). There should be one configuration option on "CRYPT_CIPHER" and if it has value "BF-CFB" then it is 128-bit Blowfish.

In term of block cipher for TLS & SSL encryption, it is not using Blowfish instead more of Triple-DES, and AES but the Blowfish is used as default cipher in OpenVPN (data in transit thru secure channel) . The TLS specification defines a fixed list of possible cypher-suites in Appendix A.5 (https://tools.ietf.org/html/rfc5246#appendix-A.5). For e.g. the cipher list in the RFC is only RC4, 3DES or AES for the symmetric encryption. Blowfish can still be used for
- data at rest (like use of bcrypt as a file encryption utility implementing Blowfish); or
- data in transit (like use for data encryption during the secure channel setup for OpenVPN or OpenSSH).
0
 
sunhuxAuthor Commented:
The products of most concern to me are:

a) Cisco & Nexus : believe they implement OpenSSH in them
b) Nokia Checkpoint & Juniper firewalls : I think I saw one of my
      netadmin colleague ssh into one of them
c) Bluecoat Proxy & Bluecoat MAA : I think they're on Ubuntu Linux
d) Solaris 10 & AIX 7.x : not sure if they're on OpenSSH but they're
     running some sort of SSH server
e) McAfee Drive Encryption : I just could not find any mention of
     Blowfish (or Twofish)  in the product brochure
f) CheckPoint Full Disk Encryption: could not find any mention of
     Blowfish (or Twofish)  in the product brochure too

For items a-d, if I issue "ssh -vvv target_device_IP", will it reveal
if Blowfish or TwoFish are enabled/available for enabling?
0
 
btanExec ConsultantCommented:
Yes since you go for verbose mode. Pls see this and note this is using AES instead. For blowfish it should be showing blowfish-cbc for SSH V2
Nov 15 15:11:12 delta sshd[30320]: SSH: Server;Ltype: Version;Remote: 130.59.1.1-38262;Protocol: 2.0;Client: OpenSSH_4.7p1-hpn12v19
Nov 15 15:11:12 delta sshd[30323]: SSH: Server;Ltype: Kex;Remote: 130.59.1.1-38262;Enc: aes128-cbc;MAC: hmac-md5;Comp: none
If you are customer to those vendors, do have them to advise too besides doing your own test validations.

Note the preference order
For protocol version 2 cipher_spec is a comma-separated list of ciphers listed in order of preference.  The supported ciphers are
 “3des-cbc”, “aes128-cbc”, “aes192-cbc”, “aes256-cbc”, “aes128-ctr”, “aes192-ctr”, “aes256-ctr”, “arcfour128", “arcfour256”, “arcfour”, “blowfish-cbc”, and “cast128-cbc”.  

The default is

‘‘aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128, arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,  aes192-ctr,aes256-ctr’’
http://linuxcommand.org/man_pages/ssh1.html

You may consider SSH-Audit which may be just be handy for checking out the SSH algorithm, see its feature
grab banner, recognize device or software and operating system, detect compression;


gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;
https://github.com/arthepsy/ssh-audit
0
 
sunhuxAuthor Commented:
https://www.schneier.com/academic/twofish/products.html

Link above has a list of products that support Twofish (from the developer):
curious if that list is exhaustive ie any product that is not in the above list
do not support Twofish?
0
 
btanExec ConsultantCommented:
I will not put my bet that it is comprehensive since it is best effort compilation as author is also a cryptographer. It can still serves as baseline but it did not state the version and date of the system assessed. Note that he stated "Counterpane has not verified that Twofish has been implemented properly, nor have we evaluated the security of these products. ".

The author also listed the product for Blowfish @ https://www.schneier.com/academic/blowfish/products.html
Included the NetBackup PureDisk and NetBackup Media Server Deduplication, not version stated though the article stated Publish:October 25, 2015

We cannot be sure but baseline will give higher confidence esp coming from this well known security guru
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now