Advanced Blowfish Cs, good?

Discussion in 'privacy technology' started by Dina, Jan 6, 2008.

Thread Status:
Not open for further replies.
  1. Dina

    Dina Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    107
    home page here :

    http://www.hotpixel.net/software.html

    All im after is actually "casual" encryption. Im currently trying out several, like axcrypt, truecrypt and others.

    I like blowfish much, it's quick, portable, i like the interface. I just want to be able to encrypt any file quickly, carry it around, open it in another pc, without having to install anything.

    Question is how stable is it? How are the files after long time use? I read a thread somewhere here about not being able to open a file which the user encrypted years back.

    Id like to hear from long time users who had good and/or bad experiences with the software.

    I'd appreciate any feedback before committing myself with the software. The data which im planning to encrypt are not that sensitive (no banking info) but still, id hate to lose them or have issues later on.

    Thank you.
     
  2. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    I've run BCAS for a couple of years and it has worked well for me and without any problems.
     
  3. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Some design thoughts.

    First and foremost, I haven't looked at the implementations of AxCrypt, TrueCrypt, or Blowfish Advanced CS. By "looked," I mean analyzed the security and correctness of the code. However, judging by their presentations, I'll make some comments pertaining to their usage of cryptography. And believe me, you can tell a lot by the presentation of cryptographic software.

    I'll exclude TrueCrypt, since, as a casual user, you might want something along the lines of file encryption, such as AxCrypt and Blowfish Advanced CS provide. I have some differences with the design of TrueCrypt, but I'll leave that for another time.

    First, let's look at Blowfish Advanced CS. I contacted the author, Markus Hahn, regarding my concerns, but I haven't heard back yet. Therefore, I can't say why he made the design decisions he did, but I can tell you what I think about them. So, getting start, it uses too many primitives. Among the primitives that it implements is RC4. It's a fragile primitive; there are related-key attacks, and other key scheduling attacks, against it. There's very little reason to implement it in new software, and it's easy to get wrong. It's best to void it. My suggestion is: Use the AES and the AES alone. It receives more cryptanalysis than any other block cipher. I can't think of a more convincing argument in favor of a block cipher's use. However, I guess it wouldn't be Blowfish Advanced CS anymore, but the name change would be worth the simplicity it brings to the implementation.

    Here's an important piece of advice when choosing cryptographic software: Less is more. Lots of block ciphers do not make a product more secure; if anything, they clutter the implementation and make mistakes more likely. I've seen protocols fall apart because of it. Do away with unnecessary complexities. I'm okay with legacy reasons behind including Triple-DES, for example, but most software I've seen, that crams in a lot of primitives, does so without any rationale whatsoever.

    Now, let's move on to AxCrypt. I also contacted the author, Svante Seleborg, regarding my curiosities about AxCrypt's design and he responded promptly. It's the most sensible and best looking approach I've seen in any file encryption software. It uses AES-CBC for encryption and HMAC-SHA-1 for authentication. AES-CBC is an IND-CPA secure confidentiality mode of operation and HMAC-SHA-1 is a SUF-CMA MAC; given that, coupled with the observation that AxCrypt operates in the Encrypt-then-Authenticate composition, there's a good chance it provides IND-CCA2 /\ INT-CTXT security - the strongest notions of confidentiality and integrity for symmetric authenticated encryption. I can't guarantee this, but I will make an effort in the near future to establish whether or not this is the case. Without a doubt, it's the best example of having done one's homework, regarding cryptographic engineering, within the context of implementation simplicity and the need for a MAC.

    I can't tell you with any kind of certainty that their implementations are secure. Although I'm not a user of either, I'm partial to AxCrypt, from a design perspective. If more software looked like it, the pickings wouldn't be so slim. If done right, it implements all the cryptography you're likely going to need. I'm not saying it's without other mistakes, though. I'm simply saying that if its presentation is any indicator of its design security and correctness, then it's probably good software. Setting these two options aside, if you don't mind including cryptographic software in your budget, you might look at PGP Corporation's offerings. I'm confident that they're doing cryptography the right way.

    Oh, and here's another important piece of advice when looking at cryptographic software: If the software vendor seems to obsess over block ciphers choices and key lengths, then chances are, they've overlooked other, more important things. Be wary.
     
  4. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I agree 100% about AxCrypt. I know you have problems with Truecrypt's cascading decisions, is that what you're referring to?
     
  5. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    On TrueCrypt and "Less is More."

    Right, that's basically it. It doesn't make the product any better, but adds more complexity to the implementation. The paradigm of "not keeping all of your eggs in one basket," makes sense, but practice isn't indicative of what it intends to achieve, security-wise. I addressed the same thing, in this thread, regarding CryptoSuite. Quoting from that:

    As you can see, I have no doubt that multiple encryption is useful. I just don't think TrueCrypt is an example of such usefulness, nor am I convinced that you should implement another block cipher just in case the AES is broken. You might be thinking, "Okay, so practice might not be indicative of it, but cryptography is unpredictable; it could happen!" You'd be absolutely right to think that; it very well could happen. But implementation mistakes do happen, and they happen a lot. In real-world systems, a certificational attack - as much as it bothers me - doesn't bother me as much as a sloppily-designed, ad hoc infrastructure.

    Many seem to obsess about the cryptography and forget the implementation. Maybe they're under the impression that the latter will take care of itself, while, in reality, we have a much better track record at getting the former right. But I reckon it just looks better to pile on cryptography, as opposed to gutting an implementation of unnecessaries. It just "looks more secure," because there's "more going on." It's a mixture of the misconception that more is more and a lack of know-how and experience, when it comes to cryptographic engineering.

    If you're using TrueCrypt because it uses cascades, you're probably overestimating the worth of this feature, while overlooking the complexities it introduces. Good cryptographic engineering is that which does a lot with a little. An example would be gutting TrueCrypt of some of its cryptographic primitives, leaving only what's necessary, thus simplifying the implementation. As I've said many times, minimalist design is the key. Less is more! That's a paradigm I'd like to see instantiated more often!

    I have another curiosity regarding the usage of LRW and possible attacks due to the finer granularity of narrow-block encryption versus wide-block encryption. BitLocker's design addressed this with AES-CBC + Elephant, which was modeled as a block cipher that operated on blocks of 512-8192 bytes in length. Not that they would, but I wouldn't want the developers to go off and try to whip up their own approach, because I don't think they have the cryptographic expertise that Microsoft had when going into BitLocker. All in all, since I haven't looked at TrueCrypt's source code, I can't say whether or not it applies. As such, it's merely a curiosity and not a criticism.

    On a smaller side note, I'm curious as to the design team's thoughts on XTS over LRW.
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I make a big mistake when I check forums at the wrong time. I have just a minute before bed (I have to get up in 4 hours), but I wanted to relay this analogy to Wilders members who may not have any conceptual idea what Justin means when he talks of the importance of implementation.

    Say you have bought the best dead-bolt lock available. You have spent big bucks for this great protection. You are proud of the safety you have brought you and your family. However, if you talk to home security experts, they will tell you that one can buy the best of the best dead-bolts, but if it's not going in the right kind of door - and installed correctly - the complexity of the dead-bolt lock is worth - nothing. The implementation of the lock (cryptography) within the door (the software) is the single most important thing. You could even put two (or three!) dead-bolts on the door "just in case" somebody gets the key to your main lock. But, if they are still in that poorly constructed door - and not installed correctly - it doesn't matter how many locks you put on the door.

    Off to bed.
     
  7. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,634
    Location:
    U.S.A. (South)
    For me theres just enough detail from those statements and pretty descriptive i might add, even in brief that supports reasonable enough conclusions in these comparisons. I can say in all honesty that this PC method for privacy is always been almost entirely foreign to me & though some details easily escape my immediate comprehension in them where it concerns how much is too much and what makes up the so-called best and/or safest encryption techniques, i do owe i feel some applause to the effort made to reach out to these developers and those opinions are convincing enough to form a definite pattern and decision.

    I'll set aside any further comments in this regard except my thanks because at this juncture i could add nothing useful to what's surfaced here, but it's enough that i have to take a hard look myself at AxCrypt if only for files privacy.

    For Full-Drive Coverage i'll keep watch on this topic.

    Interesting dialogue to say the least.
     
  8. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Being totally ignorant of cryptography, I've been reading this thread with interest. I downloaded a thing a couple of months ago called ZeroFootprint Crypt from Baroufasoft. I'm not sure whether it's still under development. I like the simplicity of it and it offers a number of different options.

    One thing to remember, which I forgot: I encrypted a couple of meaningless files, downloads I planned to get rid of eventually, just to check it's decryption. Both worked fine after encrypting and decrypting several times. I'm not sure that proves a anything. Two months later, I still have the files but don't remember the passwords I used. o_O

    Fortunately, those files were throw aways and not needed. Encryption is very valuable if you keep important info on your computer, and a strong password is essential. Just make sure you remember that password.
     
  9. herbalist

    herbalist Guest

    I haven't used Blowfish Advanced CS, prefer Scramdisk 3.01. I've used the Blowfish cipher for partitions, small hard drives, and containers of various sizes. Some of them are several years old and work fine.

    The only time I've had an encrypted partition fail was due to bad sectors on the hard drive. The ciphers themselves are stable. Assuming that you don't lose the password, the only things that would cause problems would also cause the same problems with normal files, like bad sectors or the file/container being corrupted by something else. If the data is valuable, it should be backed up to a separate drive or media, whether they're encrypted or not.
    Rick
     
  10. InfinityAz

    InfinityAz Registered Member

    Joined:
    Jul 23, 2005
    Posts:
    828
    Location:
    Arizona
    Noticed that Steganos is offering Safe One. This is similar to Steganos Safe, except it is free and only allows you to create up to two 1GB safe partitions.
     
  11. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,305
    Location:
    Location Unknown
    I use Blowfish, and I like it. It seems secure to me, but I know little to nothing about cryptography. I do like that it is portable whereas AxCrypt is not. And, funny thing, even though AxCrypt is open-source it asks (and has the option for) product activation. Really strange...
     
  12. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Options and cows.

    I checked this product out. If by "different options" you mean various cryptographic primitives (i.e., block ciphers and a stream cipher, in this case), then be careful. More options = more complexity. The product gives you the option to choose between Blowfish, Twofish, Triple-DES, RC4, Serpent, and Rijndael. Despite the fact that most of these are reasonable choices, they're unnecessary. It's in everyone's interest to stick to the AES. As you might have read in other threads I've posted in, the AES receives more cryptanalytical attention than any other block cipher. I can't think of a more compelling reason to use a block cipher, from a cryptographic standpoint.

    It also uses RC4, which worries me. It's a fragile primitive; there are related-key attacks, and other key scheduling attacks, against it. There's very little reason to implement it in new software, and it's easy to get wrong. Avoid it. Consumers shouldn't be required to make decisions about which cryptographic parameters they use, nor should they be conditioned to feel they need the option to do so. They simply don't have the expertise. They base their opinions on things they've skim over in passing and somehow conclude that they feel this block cipher is better than that block cipher and so on and so forth. Software should be secure by default. There's no need to make this tweakable by the consumer.

    Lastly, it doesn't appear to use a MAC, which means that data integrity isn't preserved; that is, an adversary is free to manipulate the data. Furthermore, I can't find any reference to the confidentiality mode of operation they use, so I can't say for certain if even data confidentiality is preserved. From what I can see, there are much better offerings than this.


    Time after time, I read reviews along the lines of, "it works great," referring to cryptographic software. Sure, it might function correctly, but that doesn't mean that it is functioning securely. Functionality and security are two, very distinct things. Be sure not to confuse them! Both good cryptography and bad cryptography can function correctly, to the point that you can't tell them apart; this makes for a difficult situation, needless to say.

    Oh, and one more things: software reviews. When it comes to judging the security of cryptographic security, software reviews are useless. Why? Because none of the criteria they're reviewed under include security! We can't expect that reviewers be cryptographers or even security folks, yet consumers might be led into believing that five cows from Tucows means that it's good software. You can bring all the cows you'd like, but it says nothing about the security of the software, which, in cryptographic software's case, is the primary objective. For things aside from security, software reviews can be helpful; for security, though, pay no attention to them.
     
  13. Dina

    Dina Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    107
    Hi guys. I appreciate all the replies, and have learned a lot really. Thanks to those who made an effort to explain encryption in "english".

    Just a quick clarification. Does that mean that encrypted files (a truecrypt container or a file encrypted through advanced blowfish cs, for example) can be treated as just like any other file? Security issues aside, encrypted files are just like normal files and theres no need for extra precaution? I can copy them, move then, rename them as much as i like without fear of corruption?

    I remember reading that defragging encrypted files, could cause problems. The user couldnt decrypt them (though he/she was sure of the password). It was suggested that it may have been due to the fact that the user ran a defragger on the disk regularly. I know very little about this, I have to ask.

    Thanks again.
     
  14. herbalist

    herbalist Guest

    As far as the operating system is concerned, it's just another file. Moving or copying an encrypted file or container should be no problem. I'm not certain if renaming the file might be a problem for some encryption software. If you plan on renaming encrypted files, it would be worthwhile to give it a test run with files that aren't important or copies of the files you want to encrypt. It's always a good practice to copy the files to a container instead of moving them directly. If the power or a piece of hardware fails at the moment you're moving a file, you've probably lost it. With a copy, no problem. When you're sure everything works, then delete the unencrypted copies.

    When you're making backups of encrypted containers, make certain that you can open those containers after restoring them while you still have the originals. This applies even more to encrypted partitions. Some backup or imaging programs have problems handling encrypted partitions. Make copies of the files you want to encrypt and keep them out of harms way while you do a practice run with your backup software. I once used ATI to back up an encrypted partition to CDs. The backup and restore process went normally, but it altered the partition enough that I couldn't open it again. Fortunately, I still had the original encrypted containers.
    Rick

    Defragging can be a problem with encrypted partitions. Encrypted containers kept on my regular hard drive work fine when the drive is defragged. Just make sure the containers aren't mounted when you defrag. On a couple of occasions, Scramdisk wouldn't make an encrypted container on a drive it considered to be too fragmented. Whenever possible, defrag your drive before creating any containers on it. I haven't used an app that encrypts the files themselves, but I can see where it could be a problem if you tried to encrypt a file that was already fragmented.
     
    Last edited by a moderator: Jan 10, 2008
  15. Dina

    Dina Registered Member

    Joined:
    Jul 28, 2006
    Posts:
    107
    Hi. I know it's a bit late. But thanks for the reply herbalist. I appreciate the info and the advice on backing up.

    Thanks once again and good day.
     
  16. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I use TrueCrypt to store some personal items and I use axcrypt here and there. But I also purchased Cryptosuite. I have not been using it though after hearing some negative comments. Does anyone know if it is trustworthy?
     
  17. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Wouldn't recommend CryptoSuite, at the moment.

    Regarding CryptoSuite, you can check some good dialogue between Jason and I, here and here, regarding the design of CryptoSuite. At first, I was glad to see that they incorporated a MAC; omitting it is a fallacy that most software vendors make. However, I was a bit let down when I discovered that what CryptoSuite calls HMAC isn't really HMAC, or a MAC, at all. It's an ad hoc, unkeyed function; MACs are keyed. (Off the top of my head, and after investigating dozens of applications, AxCrypt is the only one I know of that uses a MAC; assuming its implementation is correct and secure, it's probably as close to achieving IND-CCA2 /\ INT-CTXT as I've seen out of any product thus far.)

    This is my main concern with it, but there are others, as you can read in the links provided above. Overall, my conclusion is that it, as a whole, is an ad hoc design that isn't based on principles that scream neither good engineering practices. Don't get me wrong, though. It's not that I feel they didn't try; they probably tried really hard. But, the evidence indicates that they aren't experienced enough to be designing cryptographic software - not yet, at least. Minimalist design is the key to good design, as it promotes implementation simplicity. Not only that, but good cryptography is about doing a lot with a little. CryptoSuite is a bit backwards in that regard.

    On a side note, in what environment are you using cryptography? What are your requirements? We might be able to recommend something that's both suitable for your needs and sufficiently secure.
     
  18. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Thanks for your reply, Justin, and I am really glad that you are here. I am only interested in encrypting a few of my personal files here and there. Nothing major. I currently put a few items in a TrueCrypt volume and sometimes I quickly encrypt a personal file that I want to leave on my desktop for a while. I use Axcrypt for that. Not very often though actually. Just here and there if I don't feel like moving it at the time. But I am really happy to hear that Axcrypt is a good option. It is free and I do not have a lot of computer knowledge so it is perfect for an oaf like me. I guess maybe I wasted money on Cryptosuite but that's okay. It wasn't that much. Thanks for all that you share.
     
  19. herbalist

    herbalist Guest

    Justin,
    What's your opinion of Scramdisk 3.01r3 as far as it's strength and performance? Has the app itself ever been compromised or any serious flaw ever been found in it? I realize that it's older and not compatible with XP, but that's of no consequence to me. I'm running 98.
    Rick
     
  20. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    Can't say too much about it.

    From what I can tell, ScramDisk was pre-AES, so I'll forgive the fact that it didn't include the AES, which was later introduced by its successor, DriveCrypt. (I do not recommend it.) The amount of block ciphers it uses is excessive, and some of them are questionable, but, I'll overlook this on the same pre-AES grounds.

    My main concern would be with the inclusion of a homegrown primitive, dubbed "Summer." At least it was never recommended that one should use Summer. Quoting Sam Simpson, from his site:

    Despite that, it's never a good idea to stick any homegrown primitive into production software. Insecure options shouldn't be allowed.

    I've neither used ScramDisk, nor know much about it. If the presentation of DriveCrypt is any indicator of what went into ScramDisk, I might be a little cautious, to say the least. My hope is that DriveCrypt's horrid marketing is only skin deep, and doesn't reflect on the product itself, or its predecessor.
     
  21. herbalist

    herbalist Guest

    Re: Can't say too much about it.

    If I understand it correctly, Drive Crypt is the result of the joint effort of 3 individuals, one of which is the author of Scramdisk. I can't hold the marketing practices of the group against Scramdisk when it was released before they joined up. I've never used Drive Crypt so I have no idea what the differences are.

    I've used Blowfish for years for most of my encrypted partitions. Although Blowfish might not be tested quite as extensively as AES, it has definitely undergone its share. I'm not aware of any attacks that work against it, save brute force. IMO, the amount of testing done on a cipher may be more of an indication of its popularity than of its strength. It's not exactly a critical issue when neither cipher has been successfully attacked.

    I stay with Scramdisk because of its 9X (my preferred OS) compatibility, its ability to encrypt entire partitions, and occasional use in "traveller mode" which installs it on a single floppy. I was primarily interested to see if you were aware of any weaknesses in Scramdisk that I hadn't heard of, not including that weak "summer". No news is good news in this case.
    Rick
     
  22. Justin Troutman

    Justin Troutman Cryptography Expert

    Joined:
    Dec 23, 2007
    Posts:
    226
    Location:
    North Carolina, USA / Minas Gerais, BR
    In that case.

    In reality, insecurity is rarely ever a result of which block cipher you've chosen, and such is the case with the AES and Blowfish. I have no qualms about Blowfish; it's probably one of the best 64-bit block ciphers we have. But, it's common wisdom that the AES is preferable for new designs, with the possible exception of niche environments in which another block cipher may be more suitable. Of course, becoming the most popular is the result of becoming a standard, which invites the most cryptanalysis. The confidence we gain in Rijndael's underlying design strategy because of that is indispensable. That's the kind of thing we look for when we're deciding on which primitives to build our protocols.

    In that case, the answer is: No. I've heard of nothing.
     
Loading...
Thread Status:
Not open for further replies.