[OWASP-ESAPI] About owasp-esapi-java

Jim Manico jim.manico at owasp.org
Thu May 21 17:12:08 EDT 2009


> I think the most important point is that I can override whatever value
> is set for a particular use case.  I haven't looked at the APIs here, so
> I'm not sure if that's the case.

Yea, I see the light.  I think you are right on here Eric (and Arshan).

Perhaps we should expose HashIterations at the API level so programmers can 
make their own call as to the # of hash iterations, and default this to 1 
which is the expected hash level?

I can see where different use cases merit different iteration numbers, and 
defaulting to 1 which is the expected hash behaviour, does seems reasonable 
to me.

But for all my apps, I'm setting it to 1024 :)

- Jim

----- Original Message ----- 
From: "eric bing" <eric.bing at oracle.com>
To: <owasp-esapi at lists.owasp.org>
Sent: Thursday, May 21, 2009 10:59 AM
Subject: Re: [OWASP-ESAPI] About owasp-esapi-java


>I tend to agree with Arshan on this one.  There are certainly cases
> (password or credit card hashes) where the retention time and small name
> space make this essential, but there are a lot of other cases (session
> hashing) where its not.  Given that both use cases exist, my naive
> assumption going into the library is that its only being run once.  On
> the other hand, its legitimate to argue that you want to default to a
> more secure configuration.
>
> I think the most important point is that I can override whatever value
> is set for a particular use case.  I haven't looked at the APIs here, so
> I'm not sure if that's the case.
> -Eric
>
>> Date: Thu, 21 May 2009 16:23:36 -0400
>> From: "Arshan Dabirsiaghi" <arshan.dabirsiaghi at aspectsecurity.com>
>> Subject: Re: [OWASP-ESAPI] About owasp-esapi-java
>> To: "Jim Manico" <jim.manico at owasp.org>, <jeffl.williams at owasp.org>,
>> "Bedirhan Urgun" <urgunb at hotmail.com>, <owasp-esapi at lists.owasp.org>
>> Message-ID:
>> <B9A412898630124ABE8350F4EBD32E84F437BE at mymail.aspectsecurity.com>
>> Content-Type: text/plain; charset="iso-8859-1"
>>
>> Of course it is.
>>
>> I'm saying most people, if they knew that this was going on, would choose 
>> not to use it because of the limited benefits it provides. It's possible 
>> that I'm wrong - I have no data to support that opinion. I just know lots 
>> of developers who generally like things to be really fast.
>>
>> Arshan
>>
>> ________________________________
>>
>> From: Jim Manico [mailto:jim.manico at owasp.org]
>> Sent: Thu 5/21/2009 4:09 PM
>> To: Arshan Dabirsiaghi; jeffl.williams at owasp.org; Bedirhan Urgun; 
>> owasp-esapi at lists.owasp.org
>> Subject: Re: [OWASP-ESAPI] About owasp-esapi-java
>>
>>
>> Arshan,
>>
>> The slowness is by design, intending to make it slower for someone with 
>> database access to brute-force the hash back to the password.
>>
>> - Jim
>>
>>
>> ----- Original Message ----- 
>> From: Arshan Dabirsiaghi <mailto:arshan.dabirsiaghi at aspectsecurity.com>
>> To: jeffl.williams at owasp.org ; Bedirhan Urgun <mailto:urgunb at hotmail.com> 
>> ; owasp-esapi at lists.owasp.org
>> Sent: Thursday, May 21, 2009 10:05 AM
>> Subject: Re: [OWASP-ESAPI] About owasp-esapi-java
>>
>> The HashIterations value is a form of key strengthening [1]. Am I alone 
>> in thinking this value should be 1 (essentially off) by default? I'm not 
>> suggesting hashing is expensive as search, but I think people would not 
>> like the performance results of this feature. After all, it's intended to 
>> be slow.
>>
>> Arshan
>>
>> [1] http://en.wikipedia.org/wiki/Key_strengthening
>>
>> ________________________________
>>
>>
>>
>> 4. There's a HashIterations property key in ESAPI.properties. But this 
>> isn't used in org.owasp.esapi.reference.JavaEncyptor's hash method. 
>> Instead there's a hardcoded 1024.
>>
>>
>>
>> Good catch. This has been fixed so the hash iterations are configurable 
>> now.  Thanks!
>>
>>
>>
>> --Jeff
>>
>>
>>
>>
>> ________________________________
>>
>>
>>
>>
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>
>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: 
>> https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090521/40e3de6d/attachment.html
>>
>> ------------------------------
>>
>> _______________________________________________
>> OWASP-ESAPI mailing list
>> OWASP-ESAPI at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-esapi
>>
>>
>> End of OWASP-ESAPI Digest, Vol 20, Issue 8
>> ******************************************
>>
> _______________________________________________
> OWASP-ESAPI mailing list
> OWASP-ESAPI at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-esapi
> 



More information about the OWASP-ESAPI mailing list