From what I've read I think you are kinda sorta right. The problem is that when you lookup Blowfish you will find many "flavors" of it and one is CBC -- And that is just the beginning ... :(
Also the key "cooking" also throws yet another monkey wrench into things but then this goes well outside of of Blowfish norms and this is a very nasty "layer" that you'd never expect to be there.
Really need a nice clean white paper *AND* test vectors! With that in hand I'd tend to be willing to argue that the OpenSRS interface is relatively open archecture. But until there is such clean and clear docs for that very nasty layer, then I'll continue to argue OpenSRS API is targeted for a single platform environment.
The really said part is that *SOMEBODY* at Tucows should be able to hammer out that doc, and create test vectors. fairly easily (1 or 2 days at most) and put the issue to rest.
I finally *COMPLETELY* gave up of the API and just scripted the RWI. Does what I need and the code runs on Win98 and any other Windows OS I need to run it on. But that's really dumb. If someone has my username and password they can do most common operations from any PC in the world using industry standard SSL. So what does DES, Blowfish, and IP locking even buy us? Nothing at all.
I'm not ignoring that DES and Blowfish are the result of history, I'm just saying clearly doc the damn thing and provide test vectors since it's very hard to debug encrypted data as that's the entire point to encrypting data in the first place.
On Sun, 23 Nov 2003 16:52:13 -0800 "Lynn W. Taylor" <[EMAIL PROTECTED]> wrote:
I haven't spent a whole bunch of time on this, but maybe this will help....
I don't think the problem is Blowfish, I think it is CBC.
Blowfish is a block cypher, and OpenSRS needs a streaming cypher. CBC is a technique to turn block cyphers into streaming cyphers.
From what I've read, there appears to be two flavors of CBC: the "real world standard" one, and the one implemented in the PERL Crypt:CBC library.
There are a couple of other differences, but there are third-party documents that cover them. As far as I remember, they had to do with how keys were generated for the cypher.
-- Lynn
