I get the following error if I give a key that is greater than 64 hex caracters (64*4=256 bits).
According to this official document, blowfish is able to support key from 32 to 448 bits.
Variable key length: 32 bits to 448 bits
Is it possible to bypass this limitation? What's wrong?
The actual key size is big enough, but I would like to have the most security as possible.
Thanks,
While the algorithm itself supports a variable key length of up to 448 bits, OpenSSL's implementation of it is limited to 256 bits. I found several pages referring to this limitation; this one has a nice table: http://etutorials.org/Programming/secure+programming/Chapter+5.+Symmetric+Encryption/5.18+Using+Variable+Key-Length+Ciphers+in+OpenSSL/
There is no meaningful cryptographic difference between a 256-bit and 448-bit symmetric key. Nobody sane is going to try to brute-force a 256-bit blowfish symmetric cipher.
This was written in 1999, but still holds true: https://www.schneier.com/crypto-gram-9902.html#snakeoil
Actually, there is a tiny bug in the openssl program. It allows key of length up to 256 bits, but in fact, only the first 128 bits are used for the blowfish key. The only way to use a longer key is to write a program using the lib.
By using the -p option in the enc, we can verify that the key used is a 128 bits key :
echo toto | openssl enc -bf-cbc -K 000000000000000000000000000000000000000000000000000000 -iv 0 -a -p
Result :
salt=801D670000000000
key=00000000000000000000000000000000
iv =0000000000000000
5XAXlTvP0ZE=
I recently discoverd the security site of stackexchange and asked the same question. Brendan gave me the following answer.
Should I delete this question?
