[Esapi-php] Arnaud, how goes work on encryptor?
Mike Boberski
mike.boberski at gmail.com
Sun Feb 7 18:01:54 EST 2010
Hi Arnaud, sounds good, thank you, I'll check it out. We're going to break
from the Java version for ours, both of them. I'll respond in more detail
shortly.
Mike B.
email mike.boberski at gmail.com
blog mikeboberski.blogspot.com
book www.owasp.org/index.php/ASVS
tools www.owasp.org/index.php/ESAPI
On Sun, Feb 7, 2010 at 4:34 PM, Arnaud Labenne <arnaud.labenne at dotsafe.fr>wrote:
> Hi Mike,
>
> Sorry for the delay, I was very busy this week.
>
> I commited the crypto stuff in trying to follow your new
> requirements. I did not understand what the purpose of setKey getKeyName
> functions was. Moreover, should I add getRandom function ? It does not
> exist in java version.
>
> Nevertheless, the commited version works. The encrypt/decrypt is
> based on mcrypt although hashing relies on sha1 built-in PHP function. I
> changed my ESAPI.xml :
>
>
> /<EncryptionAlgorithm>ESAPI_CRYPTO_MODE_RIJNDAEL-256_ECB</EncryptionAlgorithm>
> <HashAlgorithm>ESAPI_CRYPTO_MODE_SHA1</HashAlgorithm>/
>
> I agree, these constant values are not very user friendly...
>
> Arnaud Labenne
>
> Boberski, Michael [USA] a écrit :
> > FYI, I've made some further tweaks, got it down to two public methods,
> > while allowing for as much future expansion as folks have
> > cycles/interest in, while allowing its use to be as clear and simple
> > as possible... I'll continue to poke away at it...
> >
> > Mike B.
> >
> >
> > ------------------------------------------------------------------------
> > *From:* esapi-php-bounces at lists.owasp.org
> > [mailto:esapi-php-bounces at lists.owasp.org] *On Behalf Of *Boberski,
> > Michael [USA]
> > *Sent:* Friday, February 05, 2010 10:38 AM
> > *To:* ESAPI for PHP development list
> > *Subject:* [Esapi-php] Arnaud, how goes work on encryptor?
> >
> > Hi Arnaud. How goes work on Encryptor, according to our last best
> > thoughts on its design:
> > http://code.google.com/p/owasp-esapi-php/wiki/Crypto_Guidance (which I
> > updated just now to use our new PEAR naming conventions), figuring out
> > what underlying libaries should be used etc. We only need to target
> > e.g. 1 hash algorithm, 1 encrypt/decrypt algorithm/mode/keysize
> > combination, maybe punt on sign/verify, etc. for the initial release.
> > Please do let me know your thoughts.
> >
> > Best,
> >
> > Mike B.
> >
> > company www.boozallen.com <http://www.boozallen.com/>
> > blog mikeboberski.blogspot.com <http://mikeboberski.blogspot.com/>
> > book www.owasp.org/index.php/ASVS <http://www.owasp.org/index.php/ASVS>
> > tools www.owasp.org/index.php/ESAPI <
> http://www.owasp.org/index.php/ESAPI>
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Esapi-php mailing list
> > Esapi-php at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/esapi-php
> >
> _______________________________________________
> Esapi-php mailing list
> Esapi-php at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-php/attachments/20100207/647db497/attachment.html
More information about the Esapi-php
mailing list