vishank848 / owasp-esapi-java

Automatically exported from code.google.com/p/owasp-esapi-java
Other
4 stars 2 forks source link

Revise CryptoHelper.computeDerivedKeys() in accordance with review recommendations #198

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Both the NSA and Jeff Walton make some recommendations that would affect 
ESAPI's KDF, CryptoHelper.computeDerivedKeys().

The NSA recommended that a stronger HMAC be used (e.g., HMAC-SHA256) or that it 
be made tunable. (We probably need it tunable for future flexibility as well as 
support across multiple programming languages of ESAPI.)

Jeff Walton recommends that we make it more in the line of NIST approved KDF's 
by adding "iteration counts, context, and other adornments which usually 
accompany an iteration of a PRF" (PRF == pseudo-random function).

Adding 'context' is difficult and needs to be thought through in more detail, 
therefore adding it will likely be postponed until ESAPI 2.1. However, an 
iteration count should definitely be added. Jeff's KDF analysis is attached.

Original issue reported on code.google.com by kevin.w.wall@gmail.com on 8 Jan 2011 at 11:04

Attachments:

GoogleCodeExporter commented 9 years ago
Change status to 'Started'.

Original comment by kevin.w.wall@gmail.com on 9 Jan 2011 at 3:15

GoogleCodeExporter commented 9 years ago
Fixed. Recommended changes implemented in SVN revisions 1682, 1683, 1699, 1700,
1705, 1706, 1707, 1711, and 1712. See SVN commit comments and Google Issue #81
for additional details.

Original comment by kevin.w.wall@gmail.com on 4 Feb 2011 at 7:37