"enc -bf-ecb" Command Summary

Blowfish Cipher Tutorials - Herong's Tutorial Examples

∟OpenSSL "enc -bf-ecb" for Blowfish/ECB Encryption

∟"enc -bf-ecb" Command Summary

A quick summary is provided to list major features of the OpenSSL 'enc -bf-ecb' command. Blowfish algorithm in ECB operation mode with a random salt and PKCS#5 padding, or Blowfish/ECB/Salted/PKCS5Padding, is the recommended way to use Blowfish in ECB mode.

As a summary, we should remember the following about the OpenSSL "enc -bf-ecb" command:

OpenSSL "enc -bf-ecb" command allows us to run Blowfish algorithm in ECB (Electronic CodeBook) operation mode.

ECB (Electronic CodeBook) operation mode takes each plaintext block from the input stream and encrypt it independently from other blocks.

ECB (Electronic CodeBook) operation mode does not use the IV value.

OpenSSL allows us to run cipher operations in 3 ways: Literal Key, Salted Key and Random Salt.

"Literal Key" means the secret key and the IV are specified literally using "-K" and "-iv" options.

The "-K value" option takes a 16-byte secret key in hex digits. If too short, 0x00 will be padded. If too long, extra bytes will be truncated.
The "-iv value" option takes a 8-byte IV value in hex digits. If too short, 0x00 will be padded. If too long, extra bytes will be truncated.

"Salted Key" means the secret key and the IV are derived from a passphrase and a salt given in "-pass" and "-S" options.

The "-pass pass:value" option takes passphrase string of any number of characters.
The "-S value" option takes a 8-byte salt in hex digits. If too short, 0x00 will be padded. If too long, extra bytes will be truncated.
The salt key generation algorithm takes the passphrase and the salt, runs MD5 hash function repeatedly to generate the secret key and the IV.
2 header blocks are prepended to the ciphtertext: The first block is the header name of "Salted__". The second block is the header value to record the 8-byte salt.

"Random Key" means the secret key and the IV are derived from a passphrase and a random salt using "-pass" and "-salt" options.

The "-pass pass:value" option takes passphrase string of any number of characters.
The "-salt" option turns on the random salt flag.
The salt key generation algorithm takes the passphrase and the salt, runs MD5 hash function repeatedly to generate the secret key and the IV.
2 header blocks are prepended to the ciphtertext: The first block is the header name of "Salted__". The second block is the header value to record the 8-byte salt.

OpenSSL allows us to pad plaintext with the standard PKCS#5 padding algorithm, which uses an integer byte as the padding byte with value equal to the number of bytes to be padded.

With all options mentioned above, we have many choices to run Blowfish ECB mode encryption. But the recommended way is to:

Select a Passphrase and send it over to the receiver in secure way.
Run OpenSSL "enc -bf-ecb" with Random Key with PKCS#5 padding on the plaintext file.
Send the ciphertext over to the receiver and tell her/him.
Tell her/him that the data is encrypted with Blowfish algorithm in ECB operation mode with a random salt and PKCS#5 padding, or Blowfish/ECB/Salted/PKCS5Padding.