Kevin W. Wall
kevin.w.wall at gmail.com
Sat Aug 6 13:32:12 EDT 2011
On Sat, Aug 6, 2011 at 6:47 AM, Jeffrey Walton <noloader at gmail.com> wrote:
> Hi Kevin,
> I was reading http://download.oracle.com/javase/1.4.2/docs/guide/security/jce/JCERefGuide.html#AppA.
A more up-to-date version:
The format is a bit different, but this has more algoritims mentioned, e.g.,
Also, the latest of what the SunJCE provides for JDK 6 is here, in
nice, succint table:
> It might be a good idea to restrict ciphers and modes. I envision a
> knarly Factory with lots of manual instantiations if everything is
> supported. I believe there are [up to] AxMxP choices
Yep, I agree; given that one does not have reflectionat one's disposal, writing
factories usually beomes one big mess of if/else if/else if/... code.
You'll get a good idea of what we are using / accept in ESAPI 2.0, but
searching for "Encryptor" in its ESAPI.properties file.
I think there's a *miminal* set of what we need to support: Here's what I
Symmetric block ciphers:
AES, DESede (2-key and 3-key varieties)
Currently not using any symmetric stream ciphers such as RC4, so
don't need that,
at least for now.
Message Digest / Hashing Algorithms:
HmacSHA1, HmacSHA256, HmacSHA384, and HmacSHA512
Block Cipher modes:
CBC, GCM, CCM
(Nothing to do w/ key gen, but while we're on the topic...)
None, PKCS5Padding (note: equivalent to PKCS7 padding for ciphers
with block sizes up to either 128-bits, or maybe
even 256 bits...too
lazy to look it up, but works for all ciphers
I've ran across in either
JCE or MSCAPI).
For RSA... not required yet, but thinking forward to ESAPI 2.1, I
think we would need
support for the OAEPWith<digest>And<mgf>Padding
padding schemes. At least
OAEPWITHMD5ANDMGF1PADDING, although I wouldn't use it
I suppose it's debatable of whether we should support DES. I suspect there's a
lot of legacy encrypted data out there that might be able to benefit
from it, but by the
same token, anytime you support something, someone is going to abuse and I'd
really like DES to just die. So, mixed feelings about that. I can see
Hope this helps somewhat.
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
More information about the Owasp-esapi-c++