Also under brain challenged is, for $9.99, something you pay $10 for and think, oh, well, if it's 10 bucks it must be better, this one is called SplashID Safe, SplashID Safe for iPhone. Now, this uses Blowfish rather than AES. And it's one of several, only a few, that do use Blowfish. Blowfish is interesting. It was designed by our friend Bruce Schneier back in 1993. So it's been around a long time, and it has withstood all attack.
The problem with Blowfish is that it uses, because it's so old, it uses a smaller block size. It's a 64-bit symmetric cipher, meaning you put in 64 bits at a time and get out a different 64 bits. That's significant because there aren't - there are, what, we know that there are four billion combinations of 32 bits. That means there's 16 billion billion combinations of 64. Once upon a time, back in '93 when Bruce did that, that was enough. But that was - that's a long time ago in terms of computing power explosion. So 64-bit block ciphers are really no longer considered secure enough for industrial work.
But what is significant about this is that it uses a highly complex key setup, which is to say, remember the way these ciphers work is there's something called a "key schedule" is the technical term, the idea being you take the key, and you do a bunch of stuff to it to create some raw data based on the key, which is then used, for example, by successive rounds of the key. This is the way AES, for example, works, where it's like an 11-round process for, I think it's AES-128 uses 11 rounds. Each of those 11 rounds uses different data from the key setup.
Well, normally a cipher wants a fast key setup, that is, it doesn't want much overhead associated with getting going. Blowfish has a particularly onerous key setup that involves preprocessing of a block of about 4K. So it's very slow to set up the key. But that's a good thing when you're wanting to prevent guessing because any brute forcing is by its nature requiring you to try this key, which means you've got to go through all this, in this case with Blowfish, a lot of work to get this thing set up.
So all of this sounds really good. In fact, I should mention that OpenBSD uses for some of its security Blowfish on purpose because it's so complex. It's just burdensome to guess what the key is. So all of this good stuff was used by SplashID Safe for iPhone for $10. After they did all this, the master password is encrypted under Blowfish - you're giggling, Leo.
Leo: I can just tell something bad's coming.
Steve: Something bad's coming. Master password is encrypted under Blowfish using a fixed key. Which is - I'll spare everyone saying upper and lower case. So it's "g.;59?^/0n1X*{OQIRwy." Now, clearly someone went to some serious trouble coming up with that.
Leo: Nice random password. But it's the same.
Steve: And it's always the same.
Leo: On every - I can't believe it.
Steve: It's built - I know, I know. It's built into the software. That's the magic key. So when someone sees that you're using SplashID Safe, for which you paid $10, and they have access to your raw data, they go, oh. And they simply use Blowfish to decrypt the stored encrypted key using that secret magic phrase. Then that gives them your actual Blowfish key, which allows them to decrypt all your data. So it doesn't matter how long it takes Blowfish to get going and set up its key schedule because they only have to do it once because they can decrypt your key using the secret passphrase built into the application. Not so good
