[OWASP-ESAPI] Any reason OWASP ESAPI doesn't have a HexEncoder Codec?

Jim Manico jim.manico at owasp.org
Wed Aug 19 06:17:01 EDT 2009


I think we currently base64 encoding our IV's, is there any downside  
to this, or are we just doing it in a non standard way?

Kevin, can you also please re-post your other encryption question from  
last month, if you have it handy? It was very important but no one  
responded. I'd like to reopen that conversation on the list.

Thank you for digging so deeply into this Kevin.

Jim Manico

On Aug 19, 2009, at 12:12 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>  
wrote:

> I wanted to support both fixed (i.e., pre-shared) IVs and random IVs  
> in the
> additions I'm putting into ESAPI Java 2.0 in the support of stronger  
> cipher
> modes such as CBC mode.
>
> I figured that such a fixed IV would be specified in the  
> ESAPI.properties file
> and it seemed logical to specify this fixed IV as a hexadecimal  
> string. (That's
> generally the most frequent way you see them specified in test  
> vectors, etc.)
>
> I checked and there doesn't seem to be a hex encoder/decoder codec.  
> Is anyone
> planning on doing one? Not that complicated; last one I wrote a few  
> years ago
> probably was less than 40 lines including the Javadoc, but I don't  
> have the time
> to code it and write all the test cases.
>
> Should I just have them use base64 encoding for specifying fixed IVs  
> instead?
> Thoughts?
>
> -kevin
> -- 
> Kevin W. Wall
> "The most likely way for the world to be destroyed, most experts  
> agree,
> is by accident. That's where we come in; we're computer professionals.
> We cause accidents."        -- Nathaniel Borenstein, co-creator of  
> MIME
>


More information about the OWASP-ESAPI mailing list