Kevin W. Wall
kevin.w.wall at gmail.com
Fri Aug 12 12:36:16 EDT 2011
On Fri, Aug 12, 2011 at 12:22 PM, Daniel Amodio
<dan.amodio at aspectsecurity.com> wrote:
> I agree with the ciphers.
> DESede... is that triple DES?
Yes, DESede stands for triple DES applied as 'encrypt-decrypt-encrypt' (ede)
There are two variants of it. A two DES key (112-bit) version and a 3 DES key
(168-bit) version. The 168-bit version is subject to export regulations
(anything longer than 128-bit is), so the best way to avoid this is to NOT
package Crypto++ with ESAPI. (Which I don't think we are intending to do.)
> Also, I thought SHA1 was not preferred? Am I thinking something else?
It's not _preferred_, but HMACSha1 is still strong (it does not suffer [yet]
from the same collision attacks that SHA1 does), and furthermore, you almost
certainly will need it for support of legacy systems. We probably will make
the default something like HMACSha256 for keyed hashing.
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein
More information about the Owasp-esapi-c++