[Esapi-user] ESAPI Encryption API's

Kevin W. Wall kevin.w.wall at gmail.com
Tue Jun 11 15:00:36 UTC 2013


On Tue, Jun 11, 2013 at 9:14 AM, Nishi Kumar <nishi787 at hotmail.com> wrote:
>
>  Hi All,
>
> I was trying to find out about current status of ESAPI encryption API's.
> Does it support FIPS-140-2 certification?

ESAPI crypto is uses a JCE provider, so if that JCE provider
is FIPS compliant, you can use ESAPI in that manner.
However, there are special instructions for doing so.
See the section
  "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules"
in the user documentation:
<http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html>
for details.

> How it is handling key management
> ? If somebody can point me to the correct documentation or provide some
> information I will really appreciate it.

Currently, key management is outside the scope of ESAPI 2.0.x.
I recommend using the API that allows you to specify a SecretKey
parameter for encryption / decryption rather than relying on
the one in your ESAPI.properties file (Encryptor.MasterKey).
In that way you can have use an HSM to store / manage your
keys.

Hope that helps,
-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents."        -- Nathaniel Borenstein


More information about the Esapi-user mailing list