[Glass] [squeak-dev] Re: [Pharo-dev] FFI blowfish for encrypting / decrypting [WAS] Re: How to encrypt a password?

mkobetic at gmail.com mkobetic at gmail.com
Mon Feb 17 21:35:40 PST 2014


"Mariano Martinez Peck"<marianopeck at gmail.com> wrote:
> > Anyway.... I do need encrypt/decrypt and it should be fast. I have just
> > tried ARC4 and seems to be fast. I have a few questions:
> >
> > - If I make the ARC4 key larger is it likely to be safer?
> > - How does ARC4 compare to blowfish from security point of view? Is
> > blowfish much more secure or not that much?
> >
> >
> 
> mmm reading a bit more I would say ARC4 may not be the most accurate for my
> case. Why? Because I may have many fields from many objects all being
> protected with the same password (hence, same key for the ARC4). This may
> affect ARC4 security, right? And even more that key is not a random stream
> but a fixed one (the  " SecureHashAlgorithm new hashMessage: aString" of
> the password they are protected with)....

With stream ciphers (or block cipher in modes that emulate a stream cipher, e.g. OFB, CTR) you absolutely must not reuse the same key to encrypt different data (http://en.wikipedia.org/wiki/Stream_cipher_attack). You could try to devise a way to avoid re-using the exact same key, e.g. generate the encryption key by mixing in a unique id of the field that you're encrypting along with the password, but unless you really know what you're doing, it's quite easy to make a fatal mistake in your design. Best way to do this is to stick with standard solutions. You're trying to use passwords for encryption, so your standard options would be PKCS#5, bcrypt or scrypt.

HTH,

Martin


More information about the Glass mailing list