Thanks for the clue. I googled about the ECB mode, and wrote a
implementation in Go. It works now.
Sadly to know this is vulnerable. This decryption method exists in the
system for a long time. I was just starting working on it. So, not much can
I do to correct it.
On Wednesday, September 13, 2017 at 1:10:11 AM UTC+8, Jesper Louis Andersen
wrote:
>
> It is very likely that ECB mode is the culprit here because Blowfish is a
> 64bit cipher and thus uses an 8-byte blocksize.
>
> However, Go's crypto/cipher doesn't have ECB mode. And for good reason: it
> is a quite dangerous mode to use in general (A good example is on the
> wikipedia page for it, for instance, where encryption of the Linux mascot
> yields artifacts in which it is clear you have the mascot).
>
> If you are trying to implement a faulty system in order to take over the
> faulty system (and correct it!), then you'd have to find code which does
> the ECB mode, or write an ECB mode yourself.
>
>
>
> On Tue, Sep 12, 2017 at 4:48 PM Jason Wang <silen...@gmail.com
> <javascript:>> wrote:
>
>> I have a python function:
>>
>> import from Crypto.Cipher import Blowfish
>> import binascii
>>
>> def decrypt_password(encode):
>> key = 'aa11k55544332211aabbaabbaaddccbb'
>> blowfish = Blowfish.new(key, Blowfish.MODE_ECB)
>> packed_password = blowfish.decrypt(binascii.unhexlify(encode))
>> return packed_password
>>
>> My Golang code is like:
>>
>> func DecodePassword(pwd string) (decoded string, err error) {
>> h, err := hex.DecodeString(pwd)
>> if err != nil {
>> return
>> }
>> var dst = make([]byte, len(h))
>> cipher, err := blowfish.NewCipher([]byte(blowfishKey))
>> if err != nil {
>> return
>> }
>> cipher.Decrypt(dst, h)
>> decoded = string(dst)
>> return
>> }
>>
>> the result of Python is like "Vmt7?m3My\x07\x07\x07\x07\x07\x07\x07" ,
>> the first 9 bytes is useful.
>> the result of Go is like "Vmt7?m3M\x00\x00\x00\x00\x00\x00\x00\x00", the
>> first 8 bytes is right, the rest 8 bytes is wrong.
>>
>> Is the "Blowfish.MODE_ECB" parameter in python the key point?
>> How should blowfish be correctly used?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "golang-nuts" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to golang-nuts...@googlegroups.com <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
