I’ve searched around and I can’t find a good resource that walks through the entirety of implementing Blowfish.
I am using 5.3.8 so I know I can use the crypt() function, and that I need to pass it a salt that is in the form of
$2[x,y,a]$[base 2 log of number of rounds]$[some string]
But I read somewhere that you need to generate the salt uniquely every time. Does that mean you have to store the salt in your database? If someone steals your database aren’t you in the same position as if you used shaX? How exactly does all of that work.
ALSO
I’ve been reading that Blowfish is also used to decrypt passwords. I had understood it just to be a hashing algorithm, where you encrypt two strings and then check if they match. How and why would you use an algorithm that can be decryptedf?
Salt protects you against rainbow table attack, so it’s OK to store the salt in the same database.
Essentially a rainbow table is a huge table with millions of pre-computed hashes. So if the password is ‘some_pass’ and the hash is ‘ABC123’ the attacker would look at ‘ABC123’ in his rainbow table and he would see that ‘some_pass’ is generating this hash.
If you use salt, the attacker would have the hash and the salt, but this rainbow table cannot work. Rainbow tables contain common passwords and / or all combinations of 1-6 (or more) chars. So if you hash ‘some_pass_salt__123123123123′ you can see the attacker won’t have luck with a rainbow table.
As for implementing your own Blowfish, I hope this is for learning (homework?). Otherwise, it’s almost always a bad idea to implement your own security algorithms, simply because you are not a domain expert and you will miss some obscure details.
Note that you may also want to verify what encryption algorithm is actually used when you call crypt(). MD5 is no longer secure and it can be broken with a good GPU (no typo, you can use your graphics card to break a hash). SHA-1 has been broken but it is computationally difficult to do it (the military can do it); so SHA-1 family is not recommended. Aim for the SHA-2 family.