[OWASP-ESAPI] About owasp-esapi-java

Jeff Williams jeff.williams at owasp.org
Thu May 21 14:53:10 EDT 2009


> Before I start, here's the version we plan to use;
>
> http://owasp-esapi-java.googlecode.com/files/owasp-esapi-java-src-1.4.zip
(build.number=68)
> http://owasp-esapi-java.googlecode.com/files/owasp-esapi-full-java-1.4.jar
 
If you can, I suggest building the latest from SVN.  Version 2.0 contains a
number of improvements, including many of the items you mentioned below.

 

> 1. logSpecial method in
org.owasp.esapi.reference.DefaultSecurityConfiguration contains a
System.out.println.

 

I agree. This was something that the code review identified and it's already
been fixed in SVN.


> Do you think the default values are reasonable?



Yes. But we did move to AES in SVN.

 
> 3. What do you suggest using when producing these values?
org.owasp.esapi.reference.DefaultRandomizer maybe? 
> How about their appropriate lengths? For example the Salt must be 8 bytes
long according to exception we get in the constructor of
org.owasp.esapi.reference.JavaEncyptor when calling



In the SVN version, you can generate a strong key and a salt by running the
main program in JavaEncryptor and putting that in ESAPI.properties. We
decided to move away from PBE because everyone has standardized on the use
of AES.  Note that you will have to download and install the unlimited
strength policy files from Sun and put them in your Java installation in
order to use longer keys.


4. There's a HashIterations property key in ESAPI.properties. But this isn't
used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead
there's a hardcoded 1024.



Good catch. This has been fixed so the hash iterations are configurable now.
Thanks!

 

--Jeff

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/117dc598/attachment.html 


More information about the OWASP-ESAPI mailing list