[OWASP-ESAPI] problem with ESAPI.encryptor().decrypt

Bedirhan Urgun urgunb at hotmail.com
Wed May 27 01:44:43 EDT 2009


 

Hi everyone,

We have the latest SVN version of ESAPI-Java. (With a jdk 1.5 requirement) During the compilation we had problems because of String.isEmpty like methods for jdk version 1.6 only. But those parts are out of scope anyway, so we removed them and successfully compiled.

The following are the exception details we get when trying to use the JavaEncryptor's decrypt method. I've searched through the google about the problem and found a few resources but what do you think about this exception in the context of owasp-esapi-java?

 

 

ESAPI.properties (I try to use PBEWithMD5AndDES)

----------------

 

#
# WARNING: For keys longer than 128 you must download unlimited strength policy files
# and install in the lib directory of your JRE. http://java.sun.com/javase/downloads/index.jsp
KeyLength=256
CharacterEncoding=UTF-8
HashAlgorithm=SHA-512
HashIterations=1024
#EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding
EncryptionAlgorithm=PBEWithMD5AndDES

RandomAlgorithm=SHA1PRNG
DigitalSignatureAlgorithm=SHAwithDSA

# Encryption
# Generate a new key using java -Dorg.owasp.esapi.resources="your path" org.owasp.esapi.reference.JavaEncryptor
# WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data 
MasterKey=123412341234
MasterSalt=123412341234

 
 
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
LogEncodingRequired=false
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
# want to place it in a specific directory.
LogFileName=c:\\ESAPI_logging_file.txt
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)
MaxLogFileSize=10000000

 
Implementation.Logger=org.owasp.esapi.reference.Log4JLogFactory
#Implementation.Logger=org.owasp.esapi.reference.JavaLogFactory
Implementation.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator
Implementation.Encoder=org.owasp.esapi.reference.DefaultEncoder
Implementation.AccessControl=org.owasp.esapi.reference.accesscontrol.DefaultAccessController
Implementation.Encryptor=org.owasp.esapi.reference.JavaEncryptor
Implementation.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector
Implementation.Randomizer=org.owasp.esapi.reference.DefaultRandomizer
Implementation.Executor=org.owasp.esapi.reference.DefaultExecutor
Implementation.Validator=org.owasp.esapi.reference.DefaultValidator
Implementation.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities


The Test Code Snippet

--------------

...

String random32 = ESAPI.randomizer().getRandomString(50,DefaultEncoder.CHAR_ALPHANUMERICS);

System.out.println("Random String generated : " + random32);

String random32Encrypted = ESAPI.encryptor().encrypt(random32);

System.out.println("Random String encrypted : " + random32Encrypted);


System.out.println("Random String decrypted : " + ESAPI.encryptor().decrypt(random32Encrypted));
...

 

The Exception

--------------

 

Random String generated : sD9ih0WbhokL59y5rImgpYO64x1rhM6PqaQX5BvWRmpl4kzbzZ
Random String encrypted : gPd5QLXjYxfBRIRX5ZOQeAMc2VHTnnoAyTvXYxzyKXkrCIebgqKGv9Sf3L8/mFCEHB56N1aj8dE=
log4j:WARN No appenders could be found for logger (AppNameNotSpecified:IntrusionDetector).
log4j:WARN Please initialize the log4j system properly.
Exception in thread "main" org.owasp.esapi.errors.EncryptionException: Encryption failure
at org.owasp.esapi.reference.JavaEncryptor.decrypt(JavaEncryptor.java:181)
at test.Test.main(Test.java:24)
Caused by: java.security.InvalidKeyException: requires PBE parameters
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.owasp.esapi.reference.JavaEncryptor.decrypt(JavaEncryptor.java:176)
... 1 more
Caused by: java.security.InvalidAlgorithmParameterException: Parameters missing
at com.sun.crypto.provider.SunJCE_ab.a(DashoA13*..)
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)
... 7 more

 

 

AES is the default algorithm to be used in SVN version, however, I'm analyzing what happens if, optionally, the developers want to use the PBEWithMD5AndDES.

 

cheers,

bedirhan





_________________________________________________________________
Insert movie times and more without leaving Hotmail®.
http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutorial_QuickAdd1_052009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090527/4bd41798/attachment.html 


More information about the OWASP-ESAPI mailing list