Well I was contemplating the error of my ways on this thread. I realized that I was wrong. Blowfish's implementation is secure and efficient... from a programmer's point of view.
A few hundred years ago everybody knew the Earth was the center of the universe. Then we knew that the most basic form of stuff (what we now know as atoms) resembled chocolate chip cookies. A hundred years ago, putting a man on the moon was inconcieveable. The Nazis thought their Enigma machine was perfect. The password file on *nix systems back in the day used to be world-readable. DES used to be considered strong crypto. The USA's National Bureau of Standards standardized it. The National Institute of Standards and Technology, which formerly was the NBS--the guys who decided DES was good--also say that AES is safe now, too. Imagine what we will know tomorrow. Just think about it, in a few hundred years mankind may be able to zip around the universe at will. It will never happen, you say. Science says it can't. I can't recall how many sciences were later debunked. What makes ours any better? So what does this have to do with keeping your secrets safe? Well, it occured to me that no crypto is perfect, as I hope everyone feels. To keep those secrets safe, we don't need stronger crypto--we need more of it. Imagine a large (as in quantity) homogenous crop that a populated country depends on to eat. If one virus comes along and kills off that crop, then those people will suffer greatly. But, if those people diversify their agriculture and have three crops, then that one virus will not cause famine. This can be applied to cryptography, and for my practical purposes, cryptographic disks. Imagine the efficacy of taking at least three radically different (from one another) forms of crypto and superimposing those cryptographies on one another. So, for instance you have the secret which you crypt with A, then crypt it with sceme B, and finally C. If weaknesses are found in one of those cryptographies (I'm confident of this, it's what history teaches us) then scheme A and C are still protecting that data. Sure, it's slow, inefficient. But if you have need of storing data securely, you should be able to sleep at night, knowing that you're as protected as humanly possible. It's also really paranoid, a simpler implementation which can be found everywhere will generally protect you against say, laptop thieves. Yet, if it is worth doing, it is worth doing right. Doing it right involves obfusgating your data so that any attemts at brute-forcing it would result in more meaningful data that could be produced by a monkey on a typewriter typing for epoch or so (they say that the monkey would eventually write Shakespere.) Yes, I am _exaggerating_, but it's to prove my point. There is no value in the second kick of a mule. Look at history, we need to drop our arrogance that our cryptographies are strong. Then we need to do the best job as humanly possible (if you wonder what this route is, just remember--tinfoil hat paranoia) to keep information secret, which I believe involves using different cryptographies for the same set of data. At the very least, the idea of diversification is good... the details can be worked out later. I'm not a programmer nor a cryptographer, I'm a historian and philosopher, among a few other things. That's why you should listen, since if you only speak to the aforementioned types of people, your view of the world will remain narrow--a narrow view of things is dangerous. Travers K. Buda
