From the help text of the Cryptographic Mode Status, when it is set to Permissive, all algorithms are allowed.  We are on firmware 10.0.x.x.

However, we do not see the Blowfish in the list of ciphers when creating TLS crypto profiles. Or is it named something else?


Furthermore, from the knowledge center, the extension dp:decrypt-data and dp:encrypt-data and dp:encrypt-string do not support the Blowfish algorithm.

We just would like to get confirmation that Blowfish is not supported at all?

------------------------------
Paul Dango
------------------------------

Paul: I think there's some confusion, but I understand that.

• The information about crypto modes (permissive vs FIPS) is what the FIPS standard states so is technically correct.
• Blowfish was vulnerable to SWEET32 and other attacks are reported as a CVE back in 2016. As part of the addressing this vulnerability, DataPower removed the DES and 3DES CBC algorithms from the default list. As you know, when DataPower deprecated the SSL proxy profiles to SSL client/server profiles (since renamed from SSL to TLS), we provided customers full support of algorithms (where Blowfish was never a direct choice for it's a cipher).
• For the cited XSLT extensions, they never mentioned Blowfish (for same reason). However, these extension still allow a customer to use "triple-des".

Therefore, what DataPower does with the way you configure the TLS profiles is exactly how DataPower will behave. The DataPower behavior is based on what the actual TLS specs show. For each algorithm you can select to enable or disable, it lists its RFC where it's defined. When I went into these specs, I didn't see Blowfish mentioned at all. The only explicit place where I see Blowfish mention in DataPower (beyond the statement from FIPS) is with SSH profiles that is a different security protocol.

Hopefully this answers your question.
​

------------------------------
F Hackerman
------------------------------

Original Message:
Sent: Thu September 08, 2022 11:28 AM
From: Paul Dango
Subject: Blowfish Cipher

From the help text of the Cryptographic Mode Status, when it is set to Permissive, all algorithms are allowed.  We are on firmware 10.0.x.x.

However, we do not see the Blowfish in the list of ciphers when creating TLS crypto profiles. Or is it named something else?


Furthermore, from the knowledge center, the extension dp:decrypt-data and dp:encrypt-data and dp:encrypt-string do not support the Blowfish algorithm.

We just would like to get confirmation that Blowfish is not supported at all?

------------------------------
Paul Dango
------------------------------

Thank you for the clarification.

------------------------------
Paul Dango
------------------------------

Original Message:
Sent: Fri September 09, 2022 11:00 AM
From: F Hackerman
Subject: Blowfish Cipher

Paul: I think there's some confusion, but I understand that.

• The information about crypto modes (permissive vs FIPS) is what the FIPS standard states so is technically correct.
• Blowfish was vulnerable to SWEET32 and other attacks are reported as a CVE back in 2016. As part of the addressing this vulnerability, DataPower removed the DES and 3DES CBC algorithms from the default list. As you know, when DataPower deprecated the SSL proxy profiles to SSL client/server profiles (since renamed from SSL to TLS), we provided customers full support of algorithms (where Blowfish was never a direct choice for it's a cipher).
• For the cited XSLT extensions, they never mentioned Blowfish (for same reason). However, these extension still allow a customer to use "triple-des".

Therefore, what DataPower does with the way you configure the TLS profiles is exactly how DataPower will behave. The DataPower behavior is based on what the actual TLS specs show. For each algorithm you can select to enable or disable, it lists its RFC where it's defined. When I went into these specs, I didn't see Blowfish mentioned at all. The only explicit place where I see Blowfish mention in DataPower (beyond the statement from FIPS) is with SSH profiles that is a different security protocol.

Hopefully this answers your question.
​

------------------------------
F Hackerman

Original Message:
Sent: Thu September 08, 2022 11:28 AM
From: Paul Dango
Subject: Blowfish Cipher

From the help text of the Cryptographic Mode Status, when it is set to Permissive, all algorithms are allowed.  We are on firmware 10.0.x.x.

However, we do not see the Blowfish in the list of ciphers when creating TLS crypto profiles. Or is it named something else?


Furthermore, from the knowledge center, the extension dp:decrypt-data and dp:encrypt-data and dp:encrypt-string do not support the Blowfish algorithm.

We just would like to get confirmation that Blowfish is not supported at all?

------------------------------
Paul Dango
------------------------------