ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications.
Even with an encrypt-then-MAC approach, using ECB cipher mode is still a really bad idea as it is a very weak cipher mode that reveals patterns in the resulting ciphertext. However, for completeness and support for legacy encrypted data, we need to support it. And while it is not supported as an out-of-the-box standard ESAPI configuration, it still could be done with custom tweaks to ESAPI.properties file.
However, just as we when a log an error when there is an attempt to encrypt something with a key size smaller than the Encryptor.MinEncryptionKeyLength property, there should be a similar error logged when ECB mode (and maybe other cipher modes that are considered weak [which might require a new property to specify them] is used to encryption.
Also, presently, there is nothing logged (except at DEBUG level) if one were to try to decrypt ciphertext using ECB, but perhaps a warning should be logged for that case as well as the use of short keys for decryption purposes.
Even with an encrypt-then-MAC approach, using ECB cipher mode is still a really bad idea as it is a very weak cipher mode that reveals patterns in the resulting ciphertext. However, for completeness and support for legacy encrypted data, we need to support it. And while it is not supported as an out-of-the-box standard ESAPI configuration, it still could be done with custom tweaks to ESAPI.properties file.
However, just as we when a log an error when there is an attempt to encrypt something with a key size smaller than the
Encryptor.MinEncryptionKeyLengthproperty, there should be a similar error logged when ECB mode (and maybe other cipher modes that are considered weak [which might require a new property to specify them] is used to encryption.Also, presently, there is nothing logged (except at DEBUG level) if one were to try to decrypt ciphertext using ECB, but perhaps a warning should be logged for that case as well as the use of short keys for decryption purposes.
Related to GitHub issue #651.