[OWASP-ESAPI] Any reason OWASP ESAPI doesn't have a HexEncoder Codec?

Neil Matatall nmatatal at uci.edu
Wed Aug 19 12:54:17 EDT 2009


In the past I've found base64 is the preferred way to encode IVs, kets, 
etc so it plays nicely with OpenSSL for example.  I do not know if 
OpenSSL or other implementations choke on non-base64 but I know it was a 
hard requirement when I fudged together our encryption library.


Jim Manico wrote:
> I think we currently base64 encoding our IV's, is there any downside  
> to this, or are we just doing it in a non standard way?
> Kevin, can you also please re-post your other encryption question from  
> last month, if you have it handy? It was very important but no one  
> responded. I'd like to reopen that conversation on the list.
> Thank you for digging so deeply into this Kevin.
> Jim Manico
> On Aug 19, 2009, at 12:12 AM, "Kevin W. Wall" <kevin.w.wall at gmail.com>  
> wrote:
>> I wanted to support both fixed (i.e., pre-shared) IVs and random IVs  
>> in the
>> additions I'm putting into ESAPI Java 2.0 in the support of stronger  
>> cipher
>> modes such as CBC mode.
>> I figured that such a fixed IV would be specified in the  
>> ESAPI.properties file
>> and it seemed logical to specify this fixed IV as a hexadecimal  
>> string. (That's
>> generally the most frequent way you see them specified in test  
>> vectors, etc.)
>> I checked and there doesn't seem to be a hex encoder/decoder codec.  
>> Is anyone
>> planning on doing one? Not that complicated; last one I wrote a few  
>> years ago
>> probably was less than 40 lines including the Javadoc, but I don't  
>> have the time
>> to code it and write all the test cases.
>> Should I just have them use base64 encoding for specifying fixed IVs  
>> instead?
>> Thoughts?
>> -kevin
>> -- 
>> Kevin W. Wall
>> "The most likely way for the world to be destroyed, most experts  
>> agree,
>> is by accident. That's where we come in; we're computer professionals.
>> We cause accidents."        -- Nathaniel Borenstein, co-creator of  
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090819/075707e3/attachment.html 

More information about the OWASP-ESAPI mailing list