[Ach] Recommending Blowfish in the ACH paper

Pepi Zawodsky pepi.zawodsky at maclemon.at
Tue Nov 5 16:25:54 CET 2013

+1 on excluding DES and 3DES.

The Blowfish bruteforcing tool ist just what the name suggests. A very dumb tool trying out passwords one at a time. This is not an attack on the crypto itself just guessing. The other attacks regarding weak keys are more concerning from what I (barely) understand of the linked Papers.

On recommending Blowfish I'm with Bruce “Almighty” Schneier on Blowfish[0]:

“Writing encryption algorithms is hard, and it's always amazing if one you write actually turns out to be secure. At this point, though, I'm amazed it's still being used. If people ask, I recommend Twofish instead.”

So if the author of Blowfish recommends against its use, I like to trust him on not recommending Blowfish.

This moves our discussion about recommended fish from Blowfish to Twofish.

Best regards

[0]:https://www.computerworld.com.au/article/46254/bruce_almighty_schneier_preaches_security_linux_faithful/?pp=3 "Bruce Almighty: Schneier preaches security to Linux faithful"

On 05.11.2013, at 10:38, Aaron Zauner <azet at azet.org> wrote:
> Blowfish bruteforcing tool:
> http://www.altsci.com/concepts/bf_brute1.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131105/8f7713e4/attachment.sig>

More information about the Ach mailing list