88# updated dynamically.
99#
1010# Before using, be sure to update the MasterKey and MasterSalt as described below.
11+ # N.B.: If you are trying to use ESAPI 2.0 with the same MasterKey and MasterSalt
12+ # as you did with some earlier version (e.g., 1.4), these may not work unless
13+ # you set 'Encryptor.ESAPICompatibilityVersion=1.4' (see below). The preferred
14+ # approach is to simply regenerate the MasterKey and MasterSalt by running
15+ # java -jar org.owasp.esapi.ESAPI
16+ # with the default ESAPI.properties file.
1117#
1218# ===========================================================================
1319# ESAPI Configuration
@@ -29,6 +35,14 @@ ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController
2935ESAPI.Authenticator =org.owasp.esapi.reference.FileBasedAuthenticator
3036ESAPI.Encoder =org.owasp.esapi.reference.DefaultEncoder
3137ESAPI.Encryptor =org.owasp.esapi.reference.JavaEncryptor
38+ ESAPI.CipherText =org.owasp.esapi.reference.DefaultCipherText
39+ # CHECKME: Should we have a default JCE provider or provider class specified
40+ # somewhere so one could (say) use Bouncy Castle rather than the
41+ # default SunJCE if they so desired? That would take only some
42+ # relatively simple changes to JavaEncryptor.
43+ # E.g., I was thinking of something like this:
44+ ESAPI.PreferredJCEProvider =SunJCE
45+
3246ESAPI.Executor =org.owasp.esapi.reference.DefaultExecutor
3347ESAPI.HTTPUtilities =org.owasp.esapi.reference.DefaultHTTPUtilities
3448ESAPI.IntrusionDetector =org.owasp.esapi.reference.DefaultIntrusionDetector
@@ -81,22 +95,69 @@ Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec
8195# will invalidate all signed, encrypted, and hashed data.
8296#
8397# WARNING: Not all combinations of algorithms and key lengths are supported.
84- # If you choose to use a key length greater than 128 (and you should) , you must download the
98+ # If you choose to use a key length greater than 128, you MUST download the
8599# unlimited strength policy files and install in the lib directory of your JRE/JDK.
86100# See http://java.sun.com/javase/downloads/index.jsp for more information.
87101#
102+
103+ # If backward compatibility MUST be supported, set this to 1.4 by uncommenting
104+ # this next property. However, note that ESAPI v1.4 used ECB cipher mode which in almost
105+ # all circumstances then CBC mode which is the default in 2.0. In general,
106+ # you should only use this if you have persistent data encrypted with version 1.4
107+ # and even then, you should only set this compatibility mode UNTIL you have
108+ # decrypted all of your old encrypted data and re-encrypted it with ESAPI 2.0.
109+ #
110+ # # Encryptor.ESAPICompatibilityVersion=1.4
111+
88112Encryptor.MasterKey =pJhlri8JbuFYDgkqtHmm9s0Ziug2PE7ovZDyEPm4j14=
89113Encryptor.MasterSalt =SbftnvmEWD5ZHHP+pX3fqugNysc=
90114
91- # AES is the most widely used and strongest encryption algorithm
92- Encryptor.EncryptionKeyLength = 256
115+ # AES is the most widely used and strongest encryption algorithm. This
116+ # should agree with your Encryptor.CipherTransformation property.
93117Encryptor.EncryptionAlgorithm =AES
118+ Encryptor.CipherTransformation =AES/CBC/PKCS5Padding
119+ # Use what was used in version <version> if compatibility is set above.
120+ # For now, only the version '1.4' applies.
121+ Encryptor.CipherTransformation.1.4 =AES/ECB/None
122+
123+ # 128-bit is almost always sufficient and appears to be more resistant to
124+ # related key attacks than is 256-bit AES. Use '_' to use default key size
125+ # for cipher algorithms (where it makes sense because the algorithm supports
126+ # a variable key size).
127+ Encryptor.EncryptionKeyLength =128
128+
129+ # Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
130+ # (All cipher modes except ECB require an IV.) There are two choices: we can either
131+ # use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
132+ # the IV does not need to be hidden from adversaries, it is important that the
133+ # adversary not be allowed to choose it. Also, random IVs are generally much more
134+ # secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
135+ # such as CFB and OFB use a different IV for each encryption with a given key so
136+ # in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
137+ # IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
138+ # uncomment the Encryptor.fixedIV.
139+ #
140+ # Valid values: random|fixed|specified 'specified' not yet implemented
141+ Encryptor.ChooseIVMethod =random
142+ # If you choose to use a fixed IV, then you must place a fixed IV here that
143+ # is known to all others who are sharing your secret key. The format should
144+ # be a hex string that is the same length as the cipher block size for the
145+ # cipher algorithm that you are using.
146+ # Encryptor.fixedIV=fixed
147+
148+ # Whether or not CipherText should use a message integrity code (MIC) with it.
149+ # This prevents an adversary from altering the IV as well as allowing a more
150+ # fool-proof way of determining the decryption failed because of an incorrect
151+ # key being supplied.
152+ Encryptor.CipherText.useMIC =true
153+
94154
95155# Do not use DES except in a legacy situation
96156# Encryptor.EncryptionKeyLength=56
97157# Encryptor.EncryptionAlgorithm=DES
98158
99159# TripleDES is considered strong enough for most purposes
160+ # Note: There is also a 112-bit version of DESede.
100161# Encryptor.EncryptionKeyLength=168
101162# Encryptor.EncryptionAlgorithm=DESede
102163
@@ -136,6 +197,7 @@ HttpUtilities.ResponseContentType=text/html; charset=UTF-8
136197
137198# ===========================================================================
138199# ESAPI Executor
200+ # CHECKME - Not sure what this is used for, but surely it should be made OS independent.
139201Executor.WorkingDirectory =C:\\ Windows\\ Temp
140202Executor.ApprovedExecutables =C:\\ Windows\\ System32\\ cmd.exe,C:\\ Windows\\ System32\\ runas.exe
141203
@@ -184,6 +246,8 @@ IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1
184246IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions =log,disable,logout
185247
186248# for test purposes
249+ # CHECKME: Shouldn't there be something in the property name itself that designates
250+ # that these are for testing???
187251IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count =10
188252IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval =5
189253IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions =log,disable,logout
0 commit comments