Need Help Implementing Some Code

Hi,

I'm not one to give in easily (even if a few of my questions here may not suggest that). I've been trying (unsuccessfully) to implement the code found here:

http://www.schneier.com/twofish-download.html

...obviously for VB6.

The source above is intended to be compiled to an ActiveX DLL, then linked to, but I can't get that to work (specifically the function, which is actually a property, bKey).

It is in a class, which I thought "OK", but after attempting to make an instant of the class, was greeted by errors.

I then copied all the code to a code module in the application directly, but then I couldn't set bKey, as required by the encryption/decryption.

Finally, it appears it is not self-initializing, and I couldn't get that to work, either.

So.... here I am. Any help is gratefully accepted.

I want to be up-front now and say that this code is intended to be used in commercial software at some point in the future, but I just want to get a simple working example going now to see how it goes. If you don't want to help in light of this, that is totally understood.

Thanks in advance.

Best regards,
AstroTux.

I know that you would seem to have your heart set on using TwoFish, but the Blowfish VB sample (found on the same site) was written by a different author, and it works "out of the box." TwoFish is newer and probably stronger, but since Blowfish is not weak and has never been broken, would it really matter which cipher you use? Both were created by Bruce Schneier.

I wish I could offer help on the TwoFish DLL, but the author of that sample left few clues about that code.

Hi,

Ya know what? Good point. I'll leave TwoFish for now. At least Blowfish has been proven "in the field" (although TwoFish is older than I thought).

Best regards,
AstroTux.

:huh: :huh: :huh: :huh: :huh:

This can't be for real, surely?! Look at the Cipher text!! If I use CBC mode however, with an IV <> 0 it seems to be fine (it actually encrypts the text, rather than just mixing it up).

http://f16-viper.com/images/blowfish.png

Best regards,
AstroTux.

Hi,

How can I securely store the IV and KEY without inadvertently making them easy to obtain? Any suggestions? I had considered encrypting the IV+KEY with a password, but then guess the password and you have the keys. I can't store the passwords in a way that doesn't require user intervention without leaving the data wide open.

Hmm.......

Best regards,
AstroTux.

If you are trying to protect your data so that only your program knows what is going on (I gleaned this from your other posts), why not just compile the keys into your EXE? You could obfuscate the entries by letting your program assemble the keys at run-time, or by arriving at portions of the keys mathmatically. If you want each customer to have unique data encryption, you could generate a key, in part, with the product serial number or something.

I would think that key-storage is programatic limitation of symmetrical ciphers since someone must know the secret phrase to encrypt and decrypt data, and in this case, the "someone" must be your program. Compiling your key into your code is weak security for sure, but if there is no human around to keep the secret, I wonder what else can be done?

I'd thought about doing that. I'm going to have to store it somewhere. I'd considered burying it in the registry but then figured someone will just hunt out where it accesses that from (or use a program that monitors the registry for access).

What do you think to using a IV and KEY to encrypt the real IV and KEY, then using that for the actual encryption/decryption? Do you think it would have the double effect of looking like the IV and KEY in the EXE are the only IV and KEY?

I guess that is probably what I'm going to have to do. I need to see if there is some way using a product key as you suggest to generate the IV and KEY, to make them unique for each customer. I guess random bytes would work for the second IV and KEY. Make a point of generation and backup.

Sounds like a plan! :D

Best regards,
AstroTux.

I think storing a second set of keys in the clear, which opens an encrypted set, would offer no more protection than storing the first set in the clear.

Obfuscating the keys in the compiled code would be my choice.

I think storing a second set of keys in the clear, which opens an encrypted set, would offer no more protection than storing the first set in the clear.
True.

Obfuscating the keys in the compiled code would be my choice.
I have an idea how to do that. :)

Thanks for the help!

Best regards,
AstroTux.