Blowfish Advanced CS - Frequently Asked Questions.


Last update: July 24th, 2007


Q01: What is the strongest cipher available in this software?

A: All of the ciphers.algorithms in Blowfish Advanced CS are strong, which means there haven't been any significant weaknesses found by the crypto community. Technically they are only different in the way data gets handled (less important for the common user) and their performance (more important for the common user). Yet since the file I/O and the compression are usually the bottlenecks, even the speed factor does hardly count. Personally I prefer Blowfish, just because it's the algorithm which started my professional career.


Q02: Are the any trapdoors storing the passwords somewhere?

A: No trapdoors, no secret passages. The keys don't get stored anywhere. The only exception are the safe key hashes used for the Auto Confirmation, yet it is impossible to derive the original keys from this repository.


Q03: Wouldn't it be nice to have a self-decrypting EXE format in Blowfish Advanced CS?

A: This seems to be one of the most commonly requested features. It is definitely on my list, but please keep asking. What I'm concerned about is that EXE file attachments usually are very suspicious nowadays, so many firewalls, proxies or local virus scanner filter them out and put them under quarantine. There's also a big security issue involved: you can never know if the EXE actually was modified on its way to your recipient - so rather than launching a self-decrypting file she might open a virus spreader!


Q04: What key length do you use for cipher XYZ?

A: Please check out the Technical Reference in the Help file. There you will find all the answers and many more.


Q05: Help, my files do not decrypt anymore, but my password is the right one (I swear), what's going on?

A: There are multiple reasons possible:

• I could mean that the wrong algorithm/cipher has been selected. The cipher type is not stored in the encrypted files, so if you switch ciphers inbetween you won't be able to decrypt your data anymore. The common error message for this is "Unknown Format".
• Files could also have been corrupted, for that please check out the "Ignore CRC checksums" option.
• You might also had the Caps Lock key on while you typed your password.
• Or the password could have been typed in wrong, twice (see Q06).
• Another favorite is the Auto Confirmation (AC) feature, where people start with a long password first, for instance "ultrasecret5", and later on encrypt with a shorter one like "ultrasecret". When trying to decrypt files encrypted with the first password the AC will take "ultrasecret" without you even noticing it that it continued a bit earlier. In such a case simply turn off AC and retry.

Q06: I have lost my password, what can I do?

A: If the password is truely gone then chances are low that you will be able to recover your files. However if your password was simple you might have a chance to recover it with a brute force key search tool like the Password Finder, written by me and and available on my download page. I'll be working on both ends of this issue, which could be to make even an even better password finder, but also on a way to make these brute force attacks harder, counteractively to any key search tool.


Q07: Is there a command line version?

A: No. The source code is ready for it, but there's not enough time right now on my end to finish such a project. Any volunteers?


Q08: I used a file recovery utility and all the files I wiped are still there, why?

A: Blowfish Advanced CS wipes the files by clearing the original content, but it doesn't touch the file system structures themselves. I found this too risky to code at the time. For instance because there is no official specification for Microsoft's NTFS system. Although it might work (as it does with other utilities) I don't want to be the one corrupting your whole disk just because tool X was also running at the same time. Note however that the file content is definitely gone, even if you're able to "recover" the files.


Q09: Why is bfaCS back now, what happened during the last five years and tell me about the future?

A: First I want to apologize to all of the people who registered the first versions of Blowfish Advanced CS in 1999 and early 2000, before it became open source. I only got one nasty e-mail, but I understood the anger. The reason for the development stall was the fact that I moved from Germany to the United States in April 2000, to join a startup company. It sure was fun while it lasted for over two years, before we ran out of money. We were actually right next to Borland in the same building in Scotts Valley, California. In November 2002 I then joined Zonelabs, the company behind ZoneAlarm and Integrity - and I stayed with them ever until April 2006. There I was also much closer to my original field of security and all things crypto. In early 2004 the motivation came back to recover the Blowfish Advanced CS project. The project is now in a good shape regarding solid code and the amount of testing applied. However further development is stalled again for multiple reasons. First there's still the time factor and second the huge shift in Windows software development we're seeing right now. It is C# and the .NET Framework 3.0, say hello to XAML and a framework eliminating the need for an encryption library like bfaCS's CryptPak. The "nextgen bfaCS" could only mean a complete rewrite. Full disk encryption like TrueCrypt and the one in Windows Vista together with storage getting cheaper and cheaper also shrink the market for file encryption tools. We shall see...


Q10: Will there be a commerical version of Blowfish Advanced CS?

A: As it looks right now: no, nothing commerical planned. Enjoy the freebie whoever you are.


Q11: MD5 and SHA-1 are broken, aren't they used in Blowfish Advanced CS?

A: It's true that recently some weaknesses have been found in the "secure" hash algroithms MD5 and SHA-1. The are now attacks or at least proofs which show that there are easier ways than brute force to generate message collisions. So far nobody really has panicked yet, since the amount of CPU power needed to run these attacks go from immense up to astronomcial. Blowfish Advanced CS uses the algorithms actually for other purposes then checksumming a message, which was the original goal for the designers. Both are used to generate key checksums or to set up encryption keys. For these operations there has been no attack or even a concept so far, at least none that I've read about. So for now we're all still pretty safe. Of course this can change tomorrow, but even if smarter attacks surface bfaCS won't be affected much. Right now I'm much more concerned about spyware, rootkits and hardware sniffers when it comes to attacks on file encryption, not to talk about weakly chosen passwords.


Q12: I tried to clear empty disk space, but now my disk is full, why?

A: To overwrite the empty space on your drives Blowfish Advanced CS creates very large files, 2GB each and keeps them until the whole disk is full. Then they get deleted. If something goes wrong in the middle (crash, computer shutdown, etc.) these files are left behind. There was also a bug in versions below 2.56 which could cause these ghost files. Getting rid of them is quite easy though - just scan your drive for very large files with the extension TMP and delete them. Usually all *.TMP are leftovers anyway and should be removed to get back disk space. With version 2.56+ bfaCS also prefixes its temporary files with "[-]", so you can identify them easier - just search for "[-]*.tmp" and remove them if you think that something went wrong.


Q13: Couldn't you also encrypt folder names?

Yes, but not really :) Blowfish Advanced CS doesn't do any low level file system access, so the directory name would still probably remain somewhere on disk for quite a while. Thus this feature wouldn't really provide true security. There's a better solution however: just encrypt all the files of a directory tree into one single folder with the options "Store Original Pathnames" and "Rename Files" activated. You'd then be able to restore the files with their pathnames nicely. For checking out what is located where you'd then use the Scanner option (F8).