[OWASP-ESAPI] problem with ESAPI.encryptor().decrypt

Bedirhan Urgun urgunb at hotmail.com
Thu May 28 01:01:20 EDT 2009

Hi Jeff,

We've already packaged our 1.5 version of owasp-esapi and using AES within our framework. That being said we haven't stabilized yet, so there's a chance to get the svn version again.

thanks for the answer! 



From: jeff.williams at owasp.org
To: urgunb at hotmail.com; owasp-esapi at lists.owasp.org
Subject: RE: [OWASP-ESAPI] problem with ESAPI.encryptor().decrypt
Date: Thu, 28 May 2009 00:32:17 -0400

Hi Bedirhan,
Thanks for the detailed message, it was extremely helpful to get all the details.  Here’s the scoop.
We used to use PasswordBasedEncryption (PBE) in ESAPI to make it easier to support key changing. You can see it in version 1.3.  However, we changed this out based on feedback from large corporations who standardized on AES. So today you can use AES 256, DES 56, DESede 168, etc…  Just put your choices in ESAPI.properties, run JavaEncryptor to generate a new key, and put the new key in ESAPI.properties.
Currently, we’re using SecretKeySpec as it allows us to easily change algorithms. We want people to be able to easily configure the algorithm and keylength.  Unfortunately,  as it says in the Javadoc:
This class is only useful for raw secret keys that can be represented as a byte array and have no key parameters associated with them, e.g., DES or Triple DES keys. 
That means that we can’t use PBE anymore because it requires a PBEParameterSpec which is more complicated to set up. So we could enhance this to support more types of encryption in an easily configurable way.  But there’s an easy alternative.  Implement your own Encryptor that uses the algorithm you want for encryption. Then just configure ESAPI to use your class.
I made a few updates to make this easier to use. Can you try the latest version in SVN and let me know?  The ESAPI.properties file has been updated with more comments and is better organized now.


From: owasp-esapi-bounces at lists.owasp.org [mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Bedirhan Urgun
Sent: Wednesday, May 27, 2009 1:45 AM
To: owasp-esapi at lists.owasp.org
Subject: [OWASP-ESAPI] problem with ESAPI.encryptor().decrypt
Hi everyone,
We have the latest SVN version of ESAPI-Java. (With a jdk 1.5 requirement) During the compilation we had problems because of String.isEmpty like methods for jdk version 1.6 only. But those parts are out of scope anyway, so we removed them and successfully compiled.
The following are the exception details we get when trying to use the JavaEncryptor's decrypt method. I've searched through the google about the problem and found a few resources but what do you think about this exception in the context of owasp-esapi-java?
ESAPI.properties (I try to use PBEWithMD5AndDES)
# WARNING: For keys longer than 128 you must download unlimited strength policy files
# and install in the lib directory of your JRE. http://java.sun.com/javase/downloads/index.jsp
# Encryption
# Generate a new key using java -Dorg.owasp.esapi.resources="your path" org.owasp.esapi.reference.JavaEncryptor
# WARNING: Changing these settings will invalidate all user passwords, hashes, and encrypted data 
# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true
# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you
# want to place it in a specific directory.
# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000)

The Test Code Snippet
String random32 = ESAPI.randomizer().getRandomString(50,DefaultEncoder.CHAR_ALPHANUMERICS);
System.out.println("Random String generated : " + random32);
String random32Encrypted = ESAPI.encryptor().encrypt(random32);
System.out.println("Random String encrypted : " + random32Encrypted);
System.out.println("Random String decrypted : " + ESAPI.encryptor().decrypt(random32Encrypted));
The Exception
Random String generated : sD9ih0WbhokL59y5rImgpYO64x1rhM6PqaQX5BvWRmpl4kzbzZ
Random String encrypted : gPd5QLXjYxfBRIRX5ZOQeAMc2VHTnnoAyTvXYxzyKXkrCIebgqKGv9Sf3L8/mFCEHB56N1aj8dE=
log4j:WARN No appenders could be found for logger (AppNameNotSpecified:IntrusionDetector).
log4j:WARN Please initialize the log4j system properly.
Exception in thread "main" org.owasp.esapi.errors.EncryptionException: Encryption failure
at org.owasp.esapi.reference.JavaEncryptor.decrypt(JavaEncryptor.java:181)
at test.Test.main(Test.java:24)
Caused by: java.security.InvalidKeyException: requires PBE parameters
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.a(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at javax.crypto.Cipher.init(DashoA13*..)
at org.owasp.esapi.reference.JavaEncryptor.decrypt(JavaEncryptor.java:176)
... 1 more
Caused by: java.security.InvalidAlgorithmParameterException: Parameters missing
at com.sun.crypto.provider.SunJCE_ab.a(DashoA13*..)
at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineInit(DashoA13*..)
... 7 more
AES is the default algorithm to be used in SVN version, however, I'm analyzing what happens if, optionally, the developers want to use the PBEWithMD5AndDES.

Insert movie times and more without leaving Hotmail®. See how.
Windows Live™: Keep your life in sync.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090528/63a3764a/attachment-0001.html 

More information about the OWASP-ESAPI mailing list