"bf-ecb" Cipher with Random Salt

Blowfish Cipher Tutorials - Herong's Tutorial Examples

∟OpenSSL "enc -bf-ecb" for Blowfish/ECB Encryption

∟"bf-ecb" Cipher with Random Salt

A tutorial example is provided to show you how to use the 'bf-ecb' cipher with Random Salt to encrypt and decrypt binary data files. The Secret Key and the IV will be derived from the given passphrase and a random salt.

In previous tutorials, we learned how to control the Secrete Key and the IV in two ways: Literal Key and Salted Key. In this tutorial, we will look at the third way, Random Salt, running the OpenSSL "enc -bf-ecb" command with "-pass" and "-salt" options:

"-pass arg" - Specifies the passphrase to be used when generating the Secret Key and the IV.
"-salt" - Specifies that a random salt to be used when generating the Secret Key and the IV.

Here is my first test using OpenSSL "enc -bf-ecb" command in the "Random Salt" way with "-pass pass:" and "-salt" options.

C:\herong> \
   perl -e "binmode(STDOUT); print pack('H*', '0000000000000000')" \
   > 0000000000000000.txt

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -e \
   -pass pass:MySecret -salt -in 0000000000000000.txt \
   -out cipher.txt -nopad -p
   
salt=A73221988FC6AD44
key=EB9CC96AE76E43C1A9BA055723BA8C69
iv =F883362636394FA7

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" \
   < cipher.txt
   
53616c7465645f5f a73221988fc6ad44 2e5533973c8e0bef
---------------- ---------------- ----------------
   "Salted__"          Salt           Cipher

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -d \
   -pass pass:MySecret -salt -in cipher.txt \
   -out decrypted.txt -nopad -p
   
salt=A73221988FC6AD44
key=EB9CC96AE76E43C1A9BA055723BA8C69
iv =F883362636394FA7

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" \
   < decrypted.txt
   
0000000000000000

The output confirms that OpenSSL did generate a salt 0xA73221988FC6AD44 for me. And it was prepended to the ciphertext as the second block.

When I ran the same test again, I got this output:

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -e \
   -pass pass:MySecret -salt -in 0000000000000000.txt \
   -out cipher.txt -nopad -p
   
salt=7D2FAC3669A79874
key=CA2403CA8AE8D91055321DC1B0D120D1
iv =507C768A7FA2F81A

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" \
   < cipher.txt
   
53616c7465645f5f 7d2fac3669a79874 ee3498be709dcab2
---------------- ---------------- ----------------
   "Salted__"          Salt           Cipher

C:\herong>\local\gnuwin32\bin\openssl enc -bf-ecb -d \
   -pass pass:MySecret -salt -in cipher.txt \
   -out decrypted.txt -nopad -p
   
salt=7D2FAC3669A79874
key=CA2403CA8AE8D91055321DC1B0D120D1
iv =507C768A7FA2F81A

C:\herong>perl -e "while (read(STDIN,$_,1)){print unpack('H*',$_);}" \
   < decrypted.txt
   
0000000000000000

The output confirms that OpenSSL does generate new salt randomly each time.

Note that you don't need to pass the salt value to the receiver of the ciphertext separately, because it is already included in the ciphertext header blocks. The receiver needs to use OpenSSL or other tools that are compatible with OpenSSL to decrypt the ciphertext with the passphrase.

If the receiver is using a tool that does not know how to read the "Salted__" header blocks, you can pass him/her the derived secret key and the IV to decrypt the ciphertext after removing the first 2 blocks.