[OWASP-ESAPI] problem with ESAPI.encryptor().decrypt

Jeff Williams jeff.williams at owasp.org
Thu May 28 00:32:17 EDT 2009


Hi Bedirhan,

 

Thanks for the detailed message, it was extremely helpful to get all the
details.  Here's the scoop.

 

We used to use PasswordBasedEncryption (PBE) in ESAPI to make it easier to
support key changing. You can see it in version 1.3.  However, we changed
this out based on feedback from large corporations who standardized on AES.
So today you can use AES 256, DES 56, DESede 168, etc.  Just put your
choices in ESAPI.properties, run JavaEncryptor to generate a new key, and
put the new key in ESAPI.properties.

 

Currently, we're using SecretKeySpec as it allows us to easily change
algorithms. We want people to be able to easily configure the algorithm and
keylength.  Unfortunately,  as it says in the Javadoc:

 

This class is only useful for raw secret keys that can be represented as a
byte array and have no key parameters associated with them, e.g., DES or
Triple DES keys. 

 

That means that we can't use PBE anymore because it requires a
PBEParameterSpec which is more complicated to set up. So we could enhance
this to support more types of encryption in an easily configurable way.  But
there's an easy alternative.  Implement your own Encryptor that uses the
algorithm you want for encryption. Then just configure ESAPI to use your
class.

 

I made a few updates to make this easier to use. Can you try the latest
version in SVN and let me know?  The ESAPI.properties file has been updated
with more comments and is better organized now.

 

Thanks,

 

--Jeff

 

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Bedirhan Urgun
Sent: Wednesday, May 27, 2009 1:45 AM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] problem with ESAPI.encryptor().decrypt

 

 
Hi everyone,
We have the latest SVN version of ESAPI-Java. (With a jdk 1.5 requirement)
During the compilation we had problems because of String.isEmpty like
methods for jdk version 1.6 only. But those parts are out of scope anyway,
so we removed them and successfully compiled.
The following are the exception details we get when trying to use the
JavaEncryptor's decrypt method. I've searched through the google about the
problem and found a few resources but what do you think about this exception
in the context of owasp-esapi-java?
 
 
ESAPI.properties (I try to use PBEWithMD5AndDES)
----------------
 

#

# WARNING: For keys longer than 128 you must download unlimited strength
policy files

# and install in the lib directory of your JRE.
http://java.sun.com/javase/downloads/index.jsp

KeyLength=256

CharacterEncoding=UTF-8

HashAlgorithm=SHA-512

HashIterations=1024

#EncryptionAlgorithm=PBEWithMD5AndDES/CBC/PKCS5Padding

EncryptionAlgorithm=PBEWithMD5AndDES

RandomAlgorithm=SHA1PRNG

DigitalSignatureAlgorithm=SHAwithDSA

# Encryption

# Generate a new key using java -Dorg.owasp.esapi.resources="your path"
org.owasp.esapi.reference.JavaEncryptor

# WARNING: Changing these settings will invalidate all user passwords,
hashes, and encrypted data 

MasterKey=123412341234

MasterSalt=123412341234

 

 

# If you use an HTML log viewer that does not properly HTML escape log data,
you can set LogEncodingRequired to true

LogEncodingRequired=false

# LogFileName, the name of the logging file. Provide a full directory path
(e.g., C:\\ESAPI\\ESAPI_logging_file) if you

# want to place it in a specific directory.

LogFileName=c:\\ESAPI_logging_file.txt

# MaxLogFileSize, the max size (in bytes) of a single log file before it
cuts over to a new one (default is 10,000,000)

MaxLogFileSize=10000000

 

Implementation.Logger=org.owasp.esapi.reference.Log4JLogFactory

#Implementation.Logger=org.owasp.esapi.reference.JavaLogFactory

Implementation.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticato
r

Implementation.Encoder=org.owasp.esapi.reference.DefaultEncoder

Implementation.AccessControl=org.owasp.esapi.reference.accesscontrol.Default
AccessController

Implementation.Encryptor=org.owasp.esapi.reference.JavaEncryptor

Implementation.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionD
etector

Implementation.Randomizer=org.owasp.esapi.reference.DefaultRandomizer

Implementation.Executor=org.owasp.esapi.reference.DefaultExecutor

Implementation.Validator=org.owasp.esapi.reference.DefaultValidator

Implementation.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities

The Test Code Snippet
--------------
...

String random32 =
ESAPI.randomizer().getRandomString(50,DefaultEncoder.CHAR_ALPHANUMERICS);

System.out.println("Random String generated : " + random32);

String random32Encrypted = ESAPI.encryptor().encrypt(random32);

System.out.println("Random String encrypted : " + random32Encrypted);

System.out.println("Random String decrypted : " +
ESAPI.encryptor().decrypt(random32Encrypted));

...
 
The Exception
--------------
 

Random String generated : sD9ih0WbhokL59y5rImgpYO64x1rhM6PqaQX5BvWRmpl4kzbzZ

Random String encrypted :
gPd5QLXjYxfBRIRX5ZOQeAMc2VHTnnoAyTvXYxzyKXkrCIebgqKGv9Sf3L8/mFCEHB56N1aj8dE=

log4j:WARN No appenders could be found for logger
(AppNameNotSpecified:IntrusionDetector).

log4j:WARN Please initialize the log4j system properly.

Exception in thread "main" org.owasp.esapi.errors.EncryptionException:
Encryption failure

at org.owasp.esapi.reference.JavaEncryptor.decrypt(JavaEncryptor.java:181)

at test.Test.main(Test.java:24)

Caused by: java.security.InvalidKeyException: requires PBE parameters

at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)

at javax.crypto.Cipher.a(DashoA13*..)

at javax.crypto.Cipher.a(DashoA13*..)

at javax.crypto.Cipher.init(DashoA13*..)

at javax.crypto.Cipher.init(DashoA13*..)

at org.owasp.esapi.reference.JavaEncryptor.decrypt(JavaEncryptor.java:176)

... 1 more

Caused by: java.security.InvalidAlgorithmParameterException: Parameters
missing

at com.sun.crypto.provider.SunJCE_ab.a(DashoA13*..)

at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)

... 7 more
 
 
AES is the default algorithm to be used in SVN version, however, I'm
analyzing what happens if, optionally, the developers want to use the
PBEWithMD5AndDES.
 
cheers,
bedirhan






  _____  

Insert movie times and more without leaving HotmailR. See how.
<http://windowslive.com/Tutorial/Hotmail/QuickAdd?ocid=TXT_TAGLM_WL_HM_Tutor
ial_QuickAdd1_052009> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090528/90841e67/attachment-0001.html 


More information about the OWASP-ESAPI mailing list