[OWASP-ESAPI] About owasp-esapi-java

Jim Manico jim.manico at owasp.org
Thu May 21 16:26:20 EDT 2009


Security almost always gets in the way of good performance.  =) Luckily, hardware is cheap these days. 

I vote we leave this at least at something > 1 - to demonstrate a little slowness, on purpose. 

We should also talk about this in a little more detail in the upcoming ESAPI-based Architectural Design document.

- Jim


  ----- Original Message ----- 
  From: Arshan Dabirsiaghi 
  To: Jim Manico ; jeffl.williams at owasp.org ; Bedirhan Urgun ; owasp-esapi at lists.owasp.org 
  Sent: Thursday, May 21, 2009 10:23 AM
  Subject: RE: [OWASP-ESAPI] About owasp-esapi-java


  Of course it is. 

  I'm saying most people, if they knew that this was going on, would choose not to use it because of the limited benefits it provides. It's possible that I'm wrong - I have no data to support that opinion. I just know lots of developers who generally like things to be really fast.

  Arshan


------------------------------------------------------------------------------
  From: Jim Manico [mailto:jim.manico at owasp.org]
  Sent: Thu 5/21/2009 4:09 PM
  To: Arshan Dabirsiaghi; jeffl.williams at owasp.org; Bedirhan Urgun; owasp-esapi at lists.owasp.org
  Subject: Re: [OWASP-ESAPI] About owasp-esapi-java


  Arshan,

  The slowness is by design, intending to make it slower for someone with database access to brute-force the hash back to the password.

  - Jim

    ----- Original Message ----- 
    From: Arshan Dabirsiaghi 
    To: jeffl.williams at owasp.org ; Bedirhan Urgun ; owasp-esapi at lists.owasp.org 
    Sent: Thursday, May 21, 2009 10:05 AM
    Subject: Re: [OWASP-ESAPI] About owasp-esapi-java


    The HashIterations value is a form of key strengthening [1]. Am I alone in thinking this value should be 1 (essentially off) by default? I'm not suggesting hashing is expensive as search, but I think people would not like the performance results of this feature. After all, it's intended to be slow. 

    Arshan

    [1] http://en.wikipedia.org/wiki/Key_strengthening


----------------------------------------------------------------------------


    4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.



    Good catch. This has been fixed so the hash iterations are configurable now.  Thanks!



    --Jeff





----------------------------------------------------------------------------


    _______________________________________________
    OWASP-ESAPI mailing list
    OWASP-ESAPI at lists.owasp.org
    https://lists.owasp.org/mailman/listinfo/owasp-esapi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/3618c919/attachment.html 


More information about the OWASP-ESAPI mailing list