Live Journal about blowfish |

systems to download unsigned or unencrypted firmware upgrades or store unencrypted user data, a practice we justify because it’s invisible to the end user and makes our lives easier. The stealthy practice, however, is no longer kosher. With the help of this public-domain encryption algorithm, we can clean up our act.

Modern embedded systems need data security more than ever before. Our PDAs store personal e-mail and contact lists; GPS receivers and, soon, cell phones keep logs of our movements; and our automobiles record our driving habits. On top of that, users demand products that can be reprogrammed during normal use, enabling them to eliminate bugs and add new features as firmware upgrades become available.

Data security helps keep private data private. Secure data transmissions prevent contact lists and personal e-mail from being read by someone other than the intended recipient, keep firmware upgrades out of devices they don’t belong in, and verify that the sender of a piece of information is who he says he is. The sensibility of data security is even mandated by law in certain applications: in the U.S. electronic devices cannot exchange personal medical data without encrypting it first, and electronic engine controllers must not permit tampering with the data tables used to control engine emissions and performance.

Data security techniques have a reputation for being computationally intensive, mysterious, and fraught with intellectual property concerns. While some of this is true, straightforward public domain techniques that are both robust and lightweight do exist. One such technique, an algorithm called Blowfish, is perfect for use in embedded systems.

Terminology
In cryptographic circles, plaintext is the message you’re trying to transmit. That message could be a medical test report, a firmware upgrade, or anything else that can be represented as a stream of bits. The process of encryption converts that plaintext message into ciphertext, and decryption converts the ciphertext back into plaintext.

Generally speaking, encryption algorithms come in two flavors, symmetric and public key. Symmetric algorithms, such as Blowfish, use the same key for encryption and decryption. Like a password, you have to keep the key secret from everyone except the sender and receiver of the message.

Public key encryption algorithms use two keys, one for encryption and another for decryption. The key used for encryption, the “public key” need not be kept secret. The sender of the message uses that public key to encrypt their message, and the recipient uses their secret decryption key, or “private key”, to read it. In a sense, the public key “locks” the message, and the private key “unlocks” it: once encrypted with the public key, nobody except the holder of the private key can decrypt the message. RSA is a popular public key encryption algorithm.

Most credible encryption algorithms are published and freely available for analysis, because it’s the security of the key that actually makes the algorithm secure. A good encryption algorithm is like a good bank vault: even with complete plans for the vault, the best tools, and example vaults to practice on, you won’t get inside the real thing without the key.

Sometimes an encryption algorithm is restricted, meaning that the algorithm itself is kept secret. But then you can never know for sure just how weak a restricted algorithm really is, because the developer doesn’t give anyone a chance to analyze it.

Encryption algorithms can be used for several kinds of data security. Sometimes you want data integrity, the assurance that the recipient received the same message you sent. Encryption algorithms can also provide authentication, the assurance that a message came from whom it says it came from. Some encryption algorithms can even provide nonrepudiation, a way to prove beyond a doubt (say, in a courtroom) that a particular sender was the originator of a message. And of course, most encryption algorithms can also assure data privacy, a way to prevent someone other than the intended recipient from reading the message.

Data security in practice
Let’s say an embedded system wants to establish a secure data-exchange session with a laptop, perhaps over a wireless medium. At the start of the session, both the embedded system and laptop compute a private Blowfish key and public and private RSA keys. The embedded system and laptop exchange the public RSA keys and use them to encrypt and exchange their private Blowfish keys. The two machines then encrypt the remainder of their communications using Blowfish. When the communications session is over, all the keys are discarded.

In this example, it doesn’t matter if someone is eavesdropping on the entire conversation. Without the private RSA keys, which never go over the airwaves, the eavesdropper can’t obtain the Blowfish keys and, therefore, can’t decrypt the messages passed between the two machines. This example is similar to how the OpenSSH command shell works (although OpenSSH takes additional steps to prevent the public keys from being tampered with during transit).

Now let’s say that a server wants to send a firmware upgrade to a device and wants to be sure that the code isn’t intercepted and modified during transit. The firmware upgrade may be delivered over a network connection, but could just as easily be delivered via a CD-ROM. In any case, the server first encrypts the firmware upgrade with its private RSA key, and then sends it to the device. The recipient decrypts the message with the server’s public key, which was perhaps programmed into the device during manufacture. If the firmware upgrade is successfully decrypted, in other words a checksum of the image equals a known value, or the machine instructions look valid, the firmware upgrade is considered authentic.

The RSA algorithm is computationally expensive, although not unreasonably so for the level of functionality and security it provides. A lighter-weight approach to firmware exchange with an embedded system would be to encrypt the image with Blowfish, instead of RSA. The downside to this approach is that the Blowfish key in the embedded system has to be kept secret, which can be difficult to achieve for a truly determined attacker with hardware skills. In less extreme cases, however, Blowfish is probably fine since an attacker with such intimate knowledge of the target system and environment will likely find another way into the device anyway (in other words, simply snatching the firmware upgrade from flash memory once it’s decrypted).

Blowfish is a block cipher that encrypts data in 8-byte blocks. The algorithm consists of two parts: a key-expansion part and a data-encryption part. Key expansion converts a variable-length key of at most 56 bytes (448 bits) into several subkey arrays totaling 4168 bytes. (Note: the description in this article differs slightly from the one in the April 1994 issue of Dr. Dobb’s Journal; there were typos in steps (5) and (6) of the subkey generation algorithm.)

Blowfish has 16 rounds. Each round consists of a key-dependent permutation, and a key- and data-dependent substitution. All operations are XORs and additions on 32-bit words. The only additional operations are four indexed array data lookups per round.

Subkeys:

Blowfish uses a large number of subkeys. These keys must be precomputed before any data encryption or decryption. The P-array consists of 18 32-bit subkeys: P1, P2,…, P18. There are also four 32-bit S-boxes with 256 entries each: S1,0, S1,1,…, S1,255; S2,0, S2,1,..,, S2,255; S3,0, S3,1,…, S3,255; S4,0, S4,1,..,, S4,255.

Encryption and Decryption:

Blowfish has 16 rounds. The input is a 64-bit data element, x. Divide x into two 32-bit halves: xL, xR. Then, for i = 1 to 16:

xL = xL XOR Pi
xR = F(xL) XOR xR
Swap xL and xR

After the sixteenth round, swap xL and xR again to undo the last swap. Then, xR = xR XOR P17 and xL = xL XOR P18. Finally, recombine xL and xR to get the ciphertext.

Function F looks like this: Divide xL into four eight-bit quarters: a, b, c, and d. Then, F(xL) = ((S1,a + S2,b mod 2³²) XOR S3,c) + S4,d mod 232.

Decryption is exactly the same as encryption, except that P1, P2,…, P18 are used in the reverse order.

Generating the Subkeys:

The subkeys are calculated using the Blowfish algorithm:

1. Initialize first the P-array and then the four S-boxes, in order, with a fixed string. This string consists of the hexadecimal digits of pi (less the initial 3): P1 = 0x243f6a88, P2 = 0x85a308d3, P3 = 0x13198a2e, P4 = 0×03707344, etc.

2. XOR P1 with the first 32 bits of the key, XOR P2 with the second 32-bits of the key, and so on for all bits of the key (possibly up to P14). Repeatedly cycle through the key bits until the entire P-array has been XORed with key bits. (For every short key, there is at least one equivalent longer key; for example, if A is a 64-bit key, then AA, AAA, etc., are equivalent keys.)

3. Encrypt the all-zero string with the Blowfish algorithm, using the subkeys described in steps (1) and (2).

4. Replace P1 and P2 with the output of step (3).

5. Encrypt the output of step (3) using the Blowfish algorithm with the modified subkeys.

6. Replace P3 and P4 with the output of step (5).

7. Continue the process, replacing all entries of the P array, and then all four S-boxes in order, with the output of the continuously changing Blowfish algorithm.

In total, 521 iterations are required to generate all required subkeys. Applications can store the subkeys rather than execute this derivation process multiple times.

C Code:

C code for Blowfish starts on page xx. This is improved and corrected code; the code in the April 1994 issue had some bugs and was less efficient than this code. The code is also available electronically; see “Availability,” page xx.