Twofish is a good AES candidate (actually was one) and is a proven tough nut to crack. Not only is it one of Blackbird's "encryption entities", the One Time PAD Encryption system in Blackbird started out using Twofish as a layer of PAD Key protection. Twofish is a symetric key encryption system, meaning that data encrypted with Twofish in a session whereby a certain password was used to build the encryption key requires that same password is used to decrypt the data. The password must be known by both the sender and receiver. In the case of Blackbird, you add web content encrypted with Twofish using a particular password and those who see the data and need to decrypt it on their end must know that password.

Using Twofish is simple. Each Twofish encryption entry in Blackbird requires two parameter: the actual password that needs to be known on both ends, and the identification name of the entry to which the password is attached. What this does is allow multiple users of a web page or site using Blackbird-Twofish to have their own passwords known to the other users, and such entries are not decrypted until or unless the needed information is provided to the applet.

The first step to using Twofish on a Blackbird-protected web page is to right click on the applet to pull up the actions menu, and select the "Encrypt Text with Twofish" option.

There are four fields used in the control panel that appears when you select that menu item. There are two text areas at left, the upper for plain text, and the lower is for cypher text when initiating the encryption function. At right there are two fields, one for password and the other for name or identifier. Note that password states "leave blank if already entered". If you have already given a password to the applet in a previous encryption or decryption call the class retains it. Here is the panel with filled out fields for Bob:

Notice that with Twofish, the decrypted text is put directly under the plain text? This is a form of testing to make sure the message will be decrypted properly, as this addition to the input text area is actually a decryption of the cyphertext. Meanwhile, the text entry having the list of numbers representing the encrypted message is copied and pasted into the web document or forum post, and it will look as such:

And there you can see that this is an entry from "bob". Bob knows his password, and only those who know the password Bob used can decrypt this message when they load the web page into their browser. Of course, there is always Alice! And perhaps somewhere else Alice, who has a shared but different password with Bob, is also making an entry to that web site.

Notice that there is not much difference in outward appearance between the two encrypted entries except for the ID or name. This is Alice's entry to the web page. The outgoing encryption entry is then put into the web document. As always, when using this output in web forums or blogs, it must not parse out or change HTML style tags. For demonstration purposes, these entries are simply entered into the web document HTML page directly. The source of the online document of this would look something like this:

However, when loading the web page, the information is not automatically decrypted. What is contained in the web page, those long lists of numbers, comes up as seen in the source. It's not decrypted, nor is it processed.

Previously you might have seen the other menu option for Twofish, the one that says "Enter Twofish Password".

This will call up a smaller control panel that allows you to enter the required password, and who it belongs to. Let's assume that Eve is also a viewer on the website that Alice and Bob frequent and make these encrypted entries. Regardless of how Eve got these passwords (perhaps in the usual way which is one of the problems with symetric keys), Eve knows the passwords of both Alice and Bob. Here is the entry to that panel for decrypting entries made by Bob with his password "twofish" (if that is what Bob used then no wonder Eve has it).

Hitting the "Enter" key while in the password field right after entering the password will trigger the response from the Blackbird applet. Without the web page being reloaded, only the encrypted text entry from Bob is decrypted and displayed:

Next Alice's entry is decrypted by entering the name Alice and the password she used. Once more if this was the password Alice used, then Eve had no problems. This is the case with passwords: ALWAYS use a strong password. More on passwords at the end of this tutorial.

Once again, hitting the Enter key in the password field will trigger the decryption of Alice's encrypted entries, and now both Alice and Bobs entries are decrypted.

A note on passwords.Naturally there is a limit to the size of the password used in Blackbird-Twofish. You can use a password up to 32 characters in lengh! Simple smaller password can and will be brute-force hacked in short time. If you follow the policy for strong passwords, there is lesser chance of this happening. A password consisting of random characters having no meaning - that is, no dictionary words - can be impossible to crack. It's a matter of how many supercomputers needing how long to run for cracking a strong password. That's the basic rule of thumb as far as passwords go: a simple password can be hacked by a brute force program in a matter of minutes, while a perfectly strong password, using the same encryption algorithm, will need a super computer or a cluster of them and still take a long time.