search

ESAPI / esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
https://owasp.org/www-project-enterprise-security-api/
Other
609 stars 368 forks source link

Change ESAPI crypto to support hex-encoding of crypto keys #290

Open meg23 opened 9 years ago

meg23 commented 9 years ago

From kevin.w.wall@gmail.com on August 23, 2012 12:52:19

Currently (in ESAPI 2.0.1 and earlier), the Encryptor.MasterKey and Encryptor.MasterSalt are both generated and stored in bas64-encoded format.

Hex-encoding is more conventional for crypto related items (keys, IVs, etc.).

This is a new feature request to: 1) Generate new Encryptor.MasterKey and Encryptor.MasterSalt via hex-encoding. 2) To support both hex-encoding and base64-encoding in reading properties Encryptor.MasterKey and Encryptor.MasterSalt from an existing ESAPI.properties file. (We need to continue to support base64-encoding for backward compatibility reasons.)

Besides being more conventional, advantage of hex format is that it is trivial to trim (say) a 256-bit key to turn it into a 128-bit.

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=284

kwwall commented 8 years ago

The strategy here should be for new versions of ESAPI to always create the Encryptor.MasterKey and Encryptor.MasterSalt as hex-encoded values and when it comes to decoding, first try hex-decoding and only try base64 decoding if the hex decoding fails.