[OWASP-ESAPI] About owasp-esapi-java

eric bing eric.bing at oracle.com
Thu May 21 16:59:20 EDT 2009


I tend to agree with Arshan on this one.  There are certainly cases 
(password or credit card hashes) where the retention time and small name 
space make this essential, but there are a lot of other cases (session 
hashing) where its not.  Given that both use cases exist, my naive 
assumption going into the library is that its only being run once.  On 
the other hand, its legitimate to argue that you want to default to a 
more secure configuration. 

I think the most important point is that I can override whatever value 
is set for a particular use case.  I haven't looked at the APIs here, so 
I'm not sure if that's the case.
-Eric

> Date: Thu, 21 May 2009 16:23:36 -0400
> From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
> Subject: Re: [OWASP-ESAPI] About owasp-esapi-java
> To: "Jim Manico" <jim.manico at owasp.org>, <jeffl.williams at owasp.org>,
> 	"Bedirhan Urgun" <urgunb at hotmail.com>, <owasp-esapi at lists.owasp.org>
> Message-ID:
> 	<B9A412898630124ABE8350F4EBD32E84F437BE at mymail.aspectsecurity.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Of course it is. 
>  
> I'm saying most people, if they knew that this was going on, would choose not to use it because of the limited benefits it provides. It's possible that I'm wrong - I have no data to support that opinion. I just know lots of developers who generally like things to be really fast.
>  
> Arshan
>
> ________________________________
>
> From: Jim Manico [mailto:jim.manico at owasp.org]
> Sent: Thu 5/21/2009 4:09 PM
> To: Arshan Dabirsiaghi; jeffl.williams at owasp.org; Bedirhan Urgun; owasp-esapi at lists.owasp.org
> Subject: Re: [OWASP-ESAPI] About owasp-esapi-java
>
>
> Arshan,
>  
> The slowness is by design, intending to make it slower for someone with database access to brute-force the hash back to the password.
>  
> - Jim
>  
>
> 	----- Original Message ----- 
> 	From: Arshan Dabirsiaghi <mailto:arshan.dabirsiaghi at aspectsecurity.com>  
> 	To: jeffl.williams at owasp.org ; Bedirhan Urgun <mailto:urgunb at hotmail.com>  ; owasp-esapi at lists.owasp.org 
> 	Sent: Thursday, May 21, 2009 10:05 AM
> 	Subject: Re: [OWASP-ESAPI] About owasp-esapi-java
>
> 	The HashIterations value is a form of key strengthening [1]. Am I alone in thinking this value should be 1 (essentially off) by default? I'm not suggesting hashing is expensive as search, but I think people would not like the performance results of this feature. After all, it's intended to be slow. 
> 	 
> 	Arshan
> 	 
> 	[1] http://en.wikipedia.org/wiki/Key_strengthening
>
> ________________________________
>
>
> 	
> 	4. There's a HashIterations property key in ESAPI.properties. But this isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. Instead there's a hardcoded 1024.
> 	
> 	
>
> 	Good catch. This has been fixed so the hash iterations are configurable now.  Thanks!
>
> 	 
>
> 	--Jeff
>
> 	 
>
> 	
> ________________________________
>
>
> 	
>
> 	_______________________________________________
> 	OWASP-ESAPI mailing list
> 	OWASP-ESAPI at lists.owasp.org
> 	https://lists.owasp.org/mailman/listinfo/owasp-esapi
> 	
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/40e3de6d/attachment.html 
>
> ------------------------------
>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>
>
> End of OWASP-ESAPI Digest, Vol 20, Issue 8
> ******************************************
>   


More information about the OWASP-ESAPI mailing list