Strengthen symmetric encryption in OWASP ESAPI

[GoogleCodeExporter]

1) Provide alternative to the ECB cipher mode that version 1.4 required you
to use because it did not support IV. Default is now CBC cipher mode with
random IV.
2) Provide mechanism to use alternate secret encryption key rather than
requiring the use of the single secret key specified by Encryptor.MasterKey.
3) Allow encrypted messages to be checked for authenticity by including an
HMAC-SHA1 using a derived key.
4) Uniformly ensure that "UTF-8" encoding is being used throughout so that
encryption / decryption will work correctly across platforms with different
native encodings.

NOTE: This work is already completed. This issue is simply for tracking
purposes to assist with the release notes for 2.0.

Original issue reported on code.google.com by kevin.w.wall@gmail.com on 6 Nov 2009 at 10:28

[GoogleCodeExporter]

Original comment by kevin.w.wall@gmail.com on 6 Nov 2009 at 10:31

• Changed title: Strengthen symmetric encryption in OWASP ESAPI

[GoogleCodeExporter]

Original comment by kevin.w.wall@gmail.com on 6 Nov 2009 at 10:33

• Added labels: Enhancement, Milestone-Release2.0, OpSys-All, Security

[GoogleCodeExporter]

Also, this default addresses the default key size for the default cipher. 
Default
cipher is still AES, but default key size was changed from 256-bits to 128-bits 
so
developers could use default encryption settings without being required to 
download
Sun's Unlimited Strength Jurisdiction Policy files for JCE.

Original comment by kevin.w.wall@gmail.com on 6 Nov 2009 at 11:15

[GoogleCodeExporter]

Original comment by kevin.w.wall@gmail.com on 7 Nov 2009 at 4:39

• Changed state: Fixed