Ways to Control Secret Key and IV

Blowfish Cipher Tutorials - Herong's Tutorial Examples

∟OpenSSL "enc -bf-ecb" for Blowfish/ECB Encryption

∟Ways to Control Secret Key and IV

A quick explanation of different Blowfish cipher operation modes and different ways to control the secret key and the IV: literal key, salted key and random key.

In the previous tutorial, we learned how to invoke a specific Blowfish cipher with the OpenSSL "enc" command. We also learned that OpenSSL supports 4 Blowfish ciphers representing 4 block cipher operation modes:

"bf-ecb" - Blowfish in ECB (Electronic CodeBook) operation mode.
"bf-cbc" - Blowfish in CBC (Cipher Block Chaining) operation mode.
"bf-cfb" - Blowfish in CFB (Cipher FeedBack) operation mode.
"bf-ofb" - Blowfish in OFB (Output FeedBack) operation mode.

From cryptography basics, we know that there are 5 pieces of information involved in all 4 operation modes:

Plaintext - The input text to be encrypted with the Blowfish algorithm.
Secret Key - The secret byte sequence to be used by the Blowfish algorithm.
IV (Initialization Vector) - A block of text to be used as the initialization block for the cipher operation.
Padding - What padding algorithm to use to manage the last full or partial block of plaintext.
Ciphertext - The output text to be generated from the Blowfish algorithm.

By reading the "enc" manual page, I see the following rules offered by OpenSSL to control those 5 pieces of information:

Plaintext - If "-in file" option is given, plaintext is coming from the given file. Otherwise, plaintext is coming from the standard input.

Ciphertext - If "-out file" option is given, ciphertext is going to the given file. Otherwise, ciphertext is going to the standard output.

Padding - If "-nopad" option is given, no padding algorithm is used, which requires that the plaintext to be full blocks. Otherwise, PKCS#5 padding algorithm is used to pad the last block of plaintext.

Secret Key and IV - OpenSSL offers 3 ways to control them:

1. Literal Key - The Secret Key and the IV are literally given using the following options:

"-K value" - Specifies the secret key in 32 hex digits (16 bytes, or 128 bits). If the specified value is not enough, it will be padded with 0x00. If the specified value is too long, it will be truncated.
"-iv value" - Specifies the IV in 16 hex digits (8 bytes, or 64 bits). If the specified value is not enough, it will be padded with 0x00. If the specified value is too long, it will be truncated.
"-nosalt" - Specifies that no salt is needed.

2. Salted Key - The Secret Key and the IV are generated from a given passphrase and a given salt using the following options:

"-pass arg" - Specifies the passphrase to be used when generating the Secret Key and the IV.
"-S value" - Specifies the salt to be used when generating the Secret Key and the IV.

3. Random Salt - The Secret Key and the IV are generated from a given passphrase and a random salt using the following options:

"-pass arg" - Specifies the passphrase to be used when generating the Secret Key and the IV.
"-salt" - Specifies that a random salt to be used when generating the Secret Key and the IV.