How does blowfish algorithm work in C++?

Question

Hi All I have to encrypt my data using Blowfish algorithm in C++...can you guys tell me if the other end knows what algorithm I am using can they not extract the key and decrypt it ? How safe is the data by this method?

Answer 1

can you guys tell me if the other end knows what algorithm I am using can they not extract the key and decrypt it ?

No. The whole point of standardized encryption algorithms (as opposed to those that rely on obscurity) is that even though everyone knows all details of it, one cannot decrypt it unless one has the key.

This approach works because the only way to crack the encryption is to try all possible keys, of which there are too many. As computation power increases, formerly "secure" algorithms do become "unsecure". With some algorithms there may also be flaws that allow other forms of deductions to take place that significantly reduce the possible key-space and hence speed up these brute-force attacks. But (as far as we know) Blowfish is safe here.

Keeping the key secret is essential of course. If your program also includes the key (as opposed to asking the user or some device for it, or using random session keys that are themselves encrypted using public-key crypto), then a reverse-engineer can probably find it and break your scheme.

An important part of keeping the key secret is to keep it "non-guessable" and to not reuse it for different purposes. Randomly generated keys are the best.

Also, by "the other end" you mean an attacker, right? Usually, "the other end" refers to Bob The Intended Recipient, and he of course needs to be able to decrypt the message.

Answer 2

There are no known attacks against Blowfish (as of January 2011) so your data is as safe as the key length (which in Blowfish can be up to 448 bits).

Answer 3

It is to my understanding, that one of the whole points of picking a particular encryption, and decryption, method, is that both ends of the communication stream will know which algorithm the data is encrypted with.

If you "have to" encrypt your data using the Blowfish algorithm, then the requirement alone should tell you that the recipient is expecting a message encrypted using the Blowfish scheme.

Like Thilo said, "the whole point of standardized encryption algorithms...is that even though everyone knows all the details of it, one cannot decrypt it unless one has the key."

The best way to prevent man-in-the-middle attacks, and other attacks involving the malicious party intercepting your messages, is to keep your key safe - do not hard-code it into any programs (even compiled programs can be analyzed) and build trusts with your recipient by ensuring that their security practices minimize the chance of a malicious agent procuring the pertinent key. Alternately, if your recipient supports it, you could use "one-time pads" - unique passwords/keys for encrypting your data.