[Esapi-user] [OWASP-ESAPI] Issues with Encryption api..

Jim Manico jim.manico at owasp.org
Thu Oct 28 09:03:29 EDT 2010


 > We had some concern about the key being in the properties file and 
how to protect the key.

I agree, this is a big deal. The key(s) should be stored in a key vault, 
and we plan to make this enhancement very soon.

Kevin, I've been using the standard Java runtime key-vault lately, and 
it's quite simple to use and manage (even though it's only password 
protected). Would it be that difficult to make this change? I'd be glad 
to dive in and help myself.

Another alternative is to use the Encrypted property file mechanism is 
ESAPI, but then again we are just moving the ball around the field....

Thoughts?

- Jim

> Thanks Kevin I got version 2.0 encryption api's to work. We had some 
> concern about the key being in the properties file and how to protect 
> the key. Is there any use case that you can point me where somebody 
> used the OWASP 2.0 encryption api's and how did they go about 
> protecting the key specially if the product needs to installed on the 
> customer site.
>
> Thanks
> Nishi Kumar
> OWASP Global Education Committee
>
> > Date: Mon, 25 Oct 2010 01:21:37 -0400
> > From: kevin.w.wall at gmail.com
> > To: nishi787 at hotmail.com
> > CC: jim.manico at owasp.org; esapi-user at lists.owasp.org
> > Subject: Re: [OWASP-ESAPI] Issues with Encryption api..
> >
> > On 10/24/2010 10:18 PM, Nishi Kumar wrote:
> >
> > > Thanks for your response. Yes it is in 
> esapi4java-core-2.0-install-guide.doc I have highlighted the line in red.
> > >
> > > "You MUST replace the ESAPI Encryptor.MasterKey and 
> Encryptor.MasterSalt in ESAPI.properties with ones you personally 
> generate. By default, the ESAPI.properties file has neither of these 
> set and therefore any many encryption related things will fail until 
> you properly set them. Change them now by using:
> > > cd <directory containing ESAPI jar>
> > > java -classpath ESAPI-2.0rc2.jar 
> org.owasp.esapi.reference.JavaEncryptor
> > >
> > > The final lines of output from this will look something like:
> > > Copy and paste this into ESAPI.properties
> > >
> > > Encryptor.MasterKey=<something here>
> > > Encryptor.MasterSalt=<something here>"
> >
> > OK, I fixed that a bit earlier. Just wanted to confirm that's all 
> there was wrt
> > documentation. If you get a new version of
> > documentation/esapi4java-core-2.0-install-guide.doc
> > from SVN, you will see the changes.
> >
> > > I am trying to use ESAPI encryption api's to encrypt Tomcat 
> database userid and password
> > > that is either set in context.xml or server.xml. It is working 
> great with
> > > ESAPI 1.4 version of encrypt and decrypt methods.
> > >
> > > I was trying to use 2.0 version of encrypt and decrypt but was 
> having some
> > > difficulty getting it to work. To be able to encrypt and decrypt I 
> have to
> > > extend BasicDataSourceFactory class of Tomcat and provide my own
> > > implementation of the class which decrypts the userid password. The
> > > issue I am having is after encrypting I need to get the string that is
> > > used in context.xml and then in BasicDataSourceFactory the encrypted
> > > value comes as string that needs to be converted into CipherText so
> > > that it can be decrypted. Can you please point me to a sample where I
> > > can encrypt/dycrypt from a string and my final output is a String .
> >
> > Two good places to look are:
> >
> > 1) src/examples/java/PersistedEncryptedData.java
> > and the corresponding script to execute this,
> > src/examples/scripts/persistEncryptedData.sh
> >
> > 2) The documentation "ESAPI 2.0 Symmetric Encryption User Guide"
> > described in
> > documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html
> >
> > In ESAPI 2.0RC10, August Detlefsen also created a new reference 
> implementation
> > for EncryptedProperties called ReferenceEncryptedProperties that 
> actually
> > extends java.util.Properties. The class java.util.Properties hash 
> methods
> > called loadFromXML() and storeToXML(). Sounds like that class might be a
> > good match for what you are looking for.
> >
> > > Do you think it is just better to use 1.4 api's in this situation. 
> Though
> > > 1.4 api's are deprecated so I am guessing eventually it will be 
> removed.
> >
> > If you read over the "Why Is OWASP Changing ESAPI Encryption?" 
> discussed in
> > documentation/esapi4java-core-2.0-readme-crypto-changes.html
> >
> > it describes how even these deprecated Encryptor methods are not 
> completely
> > compatible with those from ESAPI 1.4. Furthermore, if you use these 
> deprecated
> > methods, you will not be provided with any protection from the 
> padded oracle
> > attack which recently made the news for ASP.NET and JSF not too many 
> weeks ago.
> >
> > So I'd recommend using the new methods if you can possibly get them 
> to work.
> >
> > If you have any questions after reading the documentation and 
> examples that
> > I've referenced, then drop me another email and perhaps attach your 
> sample
> > code and I'll take a look at it.
> >
> > -kevin
> > --
> > Kevin W. Wall
> > "The most likely way for the world to be destroyed, most experts agree,
> > is by accident. That's where we come in; we're computer professionals.
> > We cause accidents." -- Nathaniel Borenstein, co-creator of MIME

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-user/attachments/20101028/23659074/attachment.html 


More information about the Esapi-user mailing list