10

This may sound like a strange question, and it feels a bit bizarre that I actually have to ask this, but after spending a couple hours looking over the MSDN documentation for the bcrypt routines that were added in Vista, I've almost reached the conclusion that there is no actual bcrypt support!

According to Wikipedia:

bcrypt is an adaptive cryptographic hash function for passwords ... based on the Blowfish cipher ... Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive hash: over time it can be made slower and slower so it remains resistant to specific brute-force search attacks against the hash and the salt.

However, from the documentation on MSDN, the "bcrypt" library is apparently actually a generic interface for encryption and hashing. You have to obtain a handle to an "algorithm provider" via the BCryptOpenAlgorithmProvider function, which has several built-in algorithms to choose from. But the word "blowfish" does not appear anywhere in the list.

So am I missing something? Am I reading this wrong? Or does Windows's "bcrypt" library not actually support bcrypt at all?

jww
  • 97,681
  • 90
  • 411
  • 885
Mason Wheeler
  • 82,511
  • 50
  • 270
  • 477
  • 3
    It rather looks like `bcrypt` is a codename for next generation cryptography API in Windows, and is not connected to wiki-described bcrypt function. – Roman R. Mar 15 '12 at 10:07

2 Answers2

8

In the context of the MSDN, BCrypt is a shortform of "BestCrypt", but the PR name for it is:

Cryptography API: Next Generation (Cng)

It is implemented in bcrypt.dll.

BestCrypt/BCrypt/Cng is the successor to the older CryptoAPI.

Microsoft is slowly removing references to "BestCrypt" from their site, but you can still see it in some pages like:

SHA256Cng Class

This algorithm is for hashing only and does not provide any encryption or decryption. It uses the BCrypt (BestCrypt) layer CNG.

It's interesting (to me anyway) that the .NET framework generally can provide you three implementations for the each kind of crypto algorithm. For example, for SHA2 hashing, there is:

  • SHA256Managed: an implementation written purely in managed code
  • SHA256CryptoServiceProvider: a wrapper around the native Cryptographic Service Provider (CSP) implementation
  • SHA256Cng: a wrapper around Cryptography Next Gen (Cng) implementation

Short version

No, bcrypt is short for bestcrypt. And, no, it doesn't support bcrypt (blowfish crypt) password hashing.

Ian Boyd
  • 246,734
  • 253
  • 869
  • 1,219
4

the BCrypt APIs are generic and support various cryptographic hash algorithms, but bcrypt is not one of them. The B Prefix seems to be just a way to distinguish between the older APIs and the Next Generation.

John
  • 5,561
  • 1
  • 23
  • 39