13

While bcrypt is often regarded as an irreversible hashing function, it's based on the reversible Blowfish cipher. I'm just curious about how does this work. Here's the pseudocode from the wiki:

bcrypt(cost, salt, input)
  state ← EksBlowfishSetup(cost, salt, input)
  ctext ← "OrpheanBeholderScryDoubt" //three 64-bit blocks
  repeat (64)
    ctext ← EncryptECB(state, ctext) //encrypt using standard Blowfish in ECB mode
  return Concatenate(cost, salt, ctext)

I know that first bcrypt will go through EksBlowfishSetup key shcedule function which outputs a the state as a encryption key. Then it encrypts the text "OrpheanBeholderScryDoubt" with the key.

According to an answer in https://security.stackexchange.com/questions/66050/should-bcrypt-be-used-for-client-side-password-hashing/66056#66069, bcrypt is irreversible because BCrypt can be seen as encrypting with throwing away of the key. Although a known-plaintext attack is almost impossible with Blowfish, but is this what makes bcypt irreversible? Because I think a known-plaintext attack is still "computationally feasible".

What I want to know is that, if we get the encryption key (produced by EksBlowfishSetup(cost, salt, input)) with known-plaintext attack or in some other ways and we have the cost and salt which is passed to EksBlowfishSetup, is it possible to get the real password?

According to an answer here, EksBlowfishSetup is what makes brcypt one-way as you need to know all 3 arguments passed to it in order to retrieve the plaintext password. So can I say that it is EksBlowfishSetup that actually makes bcrypt irreversible?

Something might help you: Technology and Practice of Passwords

Community
  • 1
sunquan
  • 233
  • 1
  • 2
  • 5

4 Answers4

4

bcrypt uses the EksBlowfishSetup which is the expansion key step function of the blowfish cipher, to expand your key into a proper cryptographic random key to use it. The expanded key is then used to encrypt some text, and that encrypted text is the stored hash

So, an attacker can know the plain-text ("OrpheanBeholderScryDoubt"), the cost and the salt (It's in the hash). But Blowfish as every modern Crypto system that is considered secure (Like AES or Serpent) are specifically designed to prevent known plaintext attacks, this means that the attacker can't derive the key from a plaintext and it's corresponding ciphertext, therefore his only chance is try every posible password to encrypt that text and obtain the same result, that's a bruteforce attack which is not "computationally feasible" with actual known hardware

Mr. E
  • 211
  • 1
  • 2
4

Because bcrypt uses Blowfish as a component inside an irreversible algorithm. This is very common—many variable-input length cryptographic algorithms are built from smaller, fixed-input-length components that may or may not be reversible.

One example is the SHA-3 hash function, which is designed following an algorithm known as the sponge construction, which builds a hash function out of a reversible function (a permutation).

Luis Casillas
  • 14,703
  • 2
  • 33
  • 53
3

Why do you say that computing the key using a known plaintext attack is "computationally feasible"? It's not. As far as I know, Blowfish is not "broken" for short texts, requiring gigabytes of data to crack even the weak keys which make it somewhat weaker for longer texts. One of the characteristics required of a "secure" encryption algorithm is that it should be impossible to find a method faster than brute force, to recover the encryption key knowing only the ciphertext and some plaintext. Since the password in bcrypt is used as part of the encryption key, THAT is the property making it a one-way function. Blowfish is reversible in the sense that if you know the key you can reverse the encryption. But in this case you are trying to find the key, knowing the ciphertext, which should not be possible other than guessing keys and observing the result.

Ben
  • 128
  • 3
0

bcrypt uses the input value to derive a key and uses that key to encrypt a known plain text. Since this plain text is always the same, the output is of constant length thus giving bcrypt all the properties of a (keyed) hash function.

Trying to reverse the encryption is pointless, since you know the plain text anyway.

mat
  • 2,558
  • 1
  • 14
  • 28