What is Twofish? Is Twofish secure?

Twofish is the successor to Blowfish, and, like its predecessor, uses symmetric encryption, so only one 256-bit key is necessary. This technique is one of the fastest encryption algorithms and is ideal for both hardware and software environments. When it was released, it was a finalist for the National Institute of Technology and Science’s (NIST’s) competition to find a replacement for the Data Encryption Standard (DES) encryption algorithm. In the end, the Rjindael algorithm was selected over the Twofish encryption algorithm. Similar to Blowfish, a block cipher is used in this symmetric encryption algorithm.

Symmetric encryption is a process that uses a single key to both encrypt and decrypt information. The key is taken in, along with the plaintext information, by the encryption algorithm. This key encrypts the data into ciphertext, which cannot be understood unless it is decrypted. When the encrypted data is sent to the recipient of the data, the symmetric encryption key must also be sent, either with or after the ciphertext has been sent. This key can then be used to decrypt the data.

Is Twofish secure?

A question many organizations ask is: Is Twofish safe, if the NIST did not want to use it to replace DES? The answer is yes, Twofish is extremely safe to use. The reason the NIST did not wish to utilize Twofish is due to it being slower, compared to the Rjindael encryption algorithm. One of the reasons that Twofish is so secure is that it uses a 128-bit key, which is almost impervious to brute force attacks. The amount of processing power and time needed to brute force a 128-bit key encrypted message makes whatever information that is being decrypted unactionable, as it could take decades to decrypt one message.

This does not mean that Twofish is impervious to all attacks, however. Part of Twofish’s encryption algorithm uses pre-computed, key dependent substitution to produce the ciphertext. Precomputing this value makes Twofish vulnerable to side channel attacks, but the dependence of a key with the substitution helps protect it from side channel attacks. Several attacks have been made on Twofish, but the creator of the algorithm, Bruce Schneier, argues these were not true cryptanalysis attacks. This means a practical break of the Twofish algorithm has not occurred yet.

What uses Twofish for encryption?

Though, like the Advanced Encryption Standard (AES), Twofish is not the most commonly used encryption algorithm, it still has many uses seen today. The most well-known products that use Twofish in their encryption methods are:

  • PGP (Pretty Good Privacy): PGP is an encryption algorithm that utilizes Twofish to encrypt emails. The data of the email is encrypted, but the sender and subject are not encrypted.
  • GnuPG: GnuPG is an implementation of OpenPGP that lets users encrypt and send data in communications. GnuPGP uses key management systems and modules to access public key directories. These public key directories provide public keys published by other users on the Internet, so that if they send a message with encrypted with their private key, anyone with access to the public key directory can decrypt that message.
  • TrueCrypt: TrueCrypt encrypts data on devices, with encryption methods that are transparent to the user. TrueCrypt works locally on the user’s computer, and automatically encrypts data when it leaves the local computer. An example would be a user sending a file from their local computer to an outside database. The file sent to the database would be encrypted as it leaves the local computer.
  • KeePass: KeePass is a password management software that encrypts passwords that are stored, and creates passwords using Twofish.