How to use BouncyCastle in C# for Blowfish one-way hashing?

Asked 21/6, 2011 at 21:21 Answered 22/6, 2011 at 17:7

I've seen a ton of questions asked about Blowfish and C# and the usual answer is BouncyCastle. However, the project has basically no documentation and I can't find my way around the directory structure to even find unit tests as examples. I mean, is Blowfish known as Asn1, Bcpg, Crypto(in general?), EC, Ocsp, Pkcs, or what? I lack the domain knowledge of knowing what all of the acronyms in the source code means.

Is there any useful articles or blogs or something that has succeeded in using the C# BouncyCastle API for Blowfish? My primary need is to use Blowfish for password hashing.

Faus answered 21/6, 2011 at 21:21 Comment(10)

If you poke around the test classes you may be able to find something. That's the first place I'd look. – Materse 21/6, 2011 at 21:26

@Materse which ones? There is no file named "Hey you, this is the Blowfish class you're looking for.cs" rather it'd be more likely named "BkdeCompTest.cs" or something. Like I said, I don't know the acronyms they use. – Faus 21/6, 2011 at 21:28

have you done a global search for blowfish? for me it turned up Org.BouncyCastle.Crypto.Engines.BlowfishEngine – Corvese 21/6, 2011 at 21:30

Ah, should've done it within VS instead of explorer's crappy search function. But even then, I'm not seeing how you tie that into hashing. It's encryption as far as I see – Faus 21/6, 2011 at 21:34

Blowfish is a block cipher, not a hash algorithm. Do you have any source for using Blowfish for hashing a password? – Gastronomy 21/6, 2011 at 21:38

I have seen blowfish used for hashing passwords in a sybase DB. I'm not sure why. – Corvese 21/6, 2011 at 21:40

You have to put the engine into one of the cipher classes, e.g. Org.BouncyCastle.Crypto.BufferedBlockCipher. I'm not sure what to do from there. – Corvese 21/6, 2011 at 21:42

@Gastronomy google.com/search?q=blowfish+hash It has been known as one of the most secure hashing algorithms because you can set how much it must work and because of it's expensive preprocessing step – Faus 21/6, 2011 at 21:47

Blowfish is not a hash but bcrypt, which uses blowfish, is. – Aceto 21/6, 2011 at 23:47

I personally have found that reading the bouncycastle source is more enlightening that reading the .NET documentation, if we are comparing the two. – Aceto 21/6, 2011 at 23:48

For password hashing I would recommend going with bcrypt which internally uses Blowfish. The advantage of using bcrypt is that you can easily configure how expensive it is in generating your output hash. This is important as the biggest problem with many popular hash algorithms is that they work very quickly and this allows a brute force attack to run through many permutations to find a match. By specifying a large work factor you can make it slow to run (in computer terms but still fast in human terms) and so a brute force attack becomes unfeasable.

There are C# implementations already available.

Rasure answered 22/6, 2011 at 6:35 Comment(0)

Also you should check out: Why does BCrypt.net GenerateSalt(31) return straight away? And the codeplex implementation: bcrypt.codeplex.com

Dyson answered 22/6, 2011 at 17:7 Comment(0)

Recommended topics

Hot tags