[squeak-dev] Re: FFI blowfish for encrypting / decrypting [WAS] Re: [Pharo-dev] How to encrypt a password?

Paul DeBruicker pdebruic at gmail.com
Mon Feb 17 22:42:57 UTC 2014


Hi Mariano,


No you can't decrypt it using the FFI library I've posted.  You can just
encrypt things and do a constant time string comparison. 

BCrypt takes your unencrypted string and runs it through Blowfish many times
based on the work factor specified.  Right now the recommendation is to run
it through 2^12 times.  That will go up in the future as computers get
faster.  There's password hashing, which that library does, and 2 way
encryption which is what you're asking for to store your db password more
securely than plain text.  


Did you try Pierce Ng's password splitting library?  Its here: 

http://samadhiweb.com/tags/secret%20splitting



Hope this helps

Paul





Mariano Martinez Peck wrote
> On Thu, Nov 21, 2013 at 3:53 PM, Paul DeBruicker <

> pdebruic@

> > wrote:
> 
>> Mariano Martinez Peck wrote
>> > Hi Paul, and just to be sure I understand...none of them could work as
>> a
>> > two-way encryption, right?
>> > The only one is your Pharo's version of Blowfish but that only works
>> with
>> > 8
>> > chars long. Is it like this? Or is there any other two-way encryption?
>> >
>> > Thanks!
>> >
>> > --
>> > Mariano
>> > http://marianopeck.wordpress.com
>>
>>
>> Yes that's right.  The PasswordHashingFFI stuff is all one way
>> encryption.
>> Blowfish is two way, and the current implementation only works for 8 byte
>> chunks.  I stopped working on it when the Smalltalk bcrypt implementation
>> I
>> wanted proved to be 5000x times slower than the FFI version. Someone
>> needs
>> to add the CBC part to Blowfish to encrypt longer strings.  I do not know
>> of
>> another in image two way encryption scheme, but there may be something in
>> the Cryptography repo.  I'm not sure.
>>
>>
>>
> Hi Paul,
> 
> Sorry for the cross posting.
> 
> I was using the Smalltalk version of the Blowfish you did to encrypt and
> decrypt things. But now I realize it is very very slow for the usage I
> need. You seem to have faced the same problem.
> 
> I am encrypting pieces of 8 characters long. But I wonder if the
> *decryption* is available as well in FFI version? I see #ffiCrypt:with:
> but nothing to decrypt...
> 
> Thanks in advance
> 
> 
> -- 
> Mariano
> http://marianopeck.wordpress.com





--
View this message in context: http://forum.world.st/FFI-blowfish-for-encrypting-decrypting-WAS-Re-Pharo-dev-How-to-encrypt-a-password-tp4744464p4744484.html
Sent from the Squeak - Dev mailing list archive at Nabble.com.


More information about the Squeak-dev mailing list