[Esapi-user] [OWASP-ESAPI] Issues with Encryption api..

Nishi Kumar nishi787 at hotmail.com
Sun Oct 24 22:18:00 EDT 2010







Hi kevin,
 
Thanks for your response. Yes it is in esapi4java-core-2.0-install-guide.doc I have highlighted the line in red.
 
"You MUST replace the ESAPI Encryptor.MasterKey and Encryptor.MasterSalt in ESAPI.properties with ones you personally generate. By default, the ESAPI.properties file has neither of these set and therefore any many encryption related things will fail until you properly set them. Change them now by using: 
cd <directory containing ESAPI jar>
java -classpath ESAPI-2.0rc2.jar org.owasp.esapi.reference.JavaEncryptor
 
The final lines of output from this will look something like:
Copy and paste this into ESAPI.properties
 
Encryptor.MasterKey=<something here>
Encryptor.MasterSalt=<something here>"
 
I am trying to use ESAPI encryption api's to encrypt Tomcat database userid and password that is either set in context.xml or server.xml. It is working great with ESAPI 1.4 version of encrypt and decrypt methods. 
 
I was trying to use 2.0 version of encrypt and decrypt but was having some difficulty getting it to work. To be able to encrypt and decrypt I have to extend BasicDataSourceFactory class of Tomcat and provide my own implementation of the class which decrypts the userid password. The issue I am having is after encrypting I need to get the string that is used in context.xml and then in BasicDataSourceFactory the encrypted value comes as string that needs to be converted into CipherText so that it can be decrypted. Can you please point me to a sample where I can encrypt/dycrypt from a string and my final output is a String . Do you think it is just better to use 1.4 api's in this situation. Though 1.4 api's are deprecated so I am guessing eventually it will be removed.
 
Thanks
Nishi Kumar
OWASP Global Education Committee
 
 
> Date: Sun, 24 Oct 2010 17:14:42 -0400
> From: kevin.w.wall at gmail.com
> To: nishi787 at hotmail.com
> CC: jim.manico at owasp.org; Esapi-user at lists.owasp.org
> Subject: Re: [OWASP-ESAPI] Issues with Encryption api..
> 
> On 10/24/2010 03:32 PM, Nishi Kumar wrote:
> > 
> > 
> > Hi All,
> > 
> > I was trying to use encryption API's from ESAPI-2.0-rc7 and I was getting exception in DefaultSecurityConfiguration.java class in this line.
> > 
> > public static final String DEFAULT_ENCRYPTION_IMPLEMENTATION = "org.owasp.esapi.reference.JavaEncryptor";
> > 
> > It seems JavaEncryptor now exists in crypto package. Documentation also had the similar reference.
> 
> Yep. You're absolutely right. That one was overlooked, as was the javadoc
> reference in SecurityProviderLoader.
> 
> The only other documentation reference that I found where the package name was
> still org.owasp.esapi.reference was in esapi4java-core-2.0-install.doc. Is
> that the documentation that you were referring to where it was wrong?
> 
> I have just committed these changes so they will be available in the next
> ESAPI 2.0 release, or from SVN, if you build from there.
> 
> Jim: Did you want a Google issue created for this as well, or is it sufficient
> to just fix it like I did? (Just being lazy!)
> 
> Thanks,
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101024/6d977aab/attachment.html 


More information about the Esapi-user mailing list