7

Recent research made it apparant that birthday attacks are now 'viable' on 64-bit block ciphers which Blowfish uses. (the paper in pdf)

At work we use BCrypt for password hashing, as I was thought that for password-hashing it was best/safer as it makes use of Blowfish.

I do know that hashing and encrypting are two different things, but as I am no security expert I do not know if we need to change any of our development processes, and if so, what to do about it.

So basically, is BCrypt (and possibly other hashing methods) affected by this?

CuccoChaser
  • 173
  • 4
  • 1
    The password in bcrypt is similar to a blowfish *key*, and not like the plaintext. It only encrypts a dozen bytes with each key, far from the hundreds of gigabytes the attack needs. – CodesInChaos Aug 24 '16 at 16:12

1 Answers1

5

Yes, bcrypt is still safe. Blowfish is used in a fundamentally different way inside of bcrypt than for symmetric encryption. The birthday attack requires that an attacker be allowed to encrypt hundreds of gigabytes worth of data under the same key, and then examine the hundreds of gigabytes of ciphertext output in order to find a colliding ciphertext block.

These conditions simply don't exist in the bcrypt hashing function, so even though the underlying algorithm is Blowfish, the attack is not applicable.

Xander
  • 35,525
  • 27
  • 113
  • 141