Search code examples
phpblowfishencryption-symmetriccrypt

Using crypt PHP function with Blowfish hashing algorithm, is it Symmetric crypting or not?

as I can read from the net: Blowfish algorithm is symmetric. And from PHP.net crypt function is one way crypting.Crypt func also allows Blowfish as hashing algorithm.

So if I'm correct when I associate symmetric crypting with two way crypting procedure. I see a contraddiction.

Definitely, using crypt() + Blowfish will give someone the chance to decrypt the string, if ever he will know the secret salt? (I actually think not since as I can see from the crypted string the crypting salt is included)

Many thanks

Solution

  • A cipher algorithm like blowfish can be used as part of a hashing algorithm. Blowfish is just a "building block" and can be used for different purposes. It can be implemented as an encryption/decryption tool, or as the cryptographic primitive of a hash algorithm. This does not mean that you are suddenly able to reverse a hashing algorithm.

    The plain fact that the output of the hashing algorithm is always a constant length is a giveaway that it cannot be reversed. You cannot encrypt an infinite number of potential input values in a reversible way into a fixed length output. The algorithm is by necessity lossy.

    As a simple illustration, blowfish can be used like this to encrypt data (which can subsequently be decrypted):

    ABCD EFGH IJKL MNOP ...
  |    |    |    |
  v    v    v    v
NPCQ JQ0C  MPZW LKAQ

    Each block of the input is turned into cipher text individually by blowfish. That is why blowfish is called a block cipher (as opposed to a stream cipher which would process the input as a stream, not as a set of blocks of fixed length). The result of this operation are a bunch of blocks which can be reversed. The output is of the same length as the input (plus padding to fill a block where necessary).

    A hash function using blowfish works like this:

    ABCD EFGH        IJKL        MNOP ...
  |    |           |           |
  v    v           v           v
NPCQ JQ0C        MPZW        LKAQ
  |    |           |           |
  +----+--> PMQZ --+--> OLMQ --+--> UALG ...

    The output of each block is run through a compression function which combines two blocks into one. The output of the first two blocks are combined (into PMQZ), then this value is combined with the output of the third block (into OLMQ) and so on. The output of the last compression is the result of the hash.

    As you see, blowfish is used internally as a cryptographic cipher, but its output is combined with a lossy compression function which makes it impossible to reverse the output.