This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ESAPI Encryption"
From OWASP
(→Possible Enhancements) |
|||
| Line 4: | Line 4: | ||
== Possible Enhancements == | == Possible Enhancements == | ||
| − | + | * Potentially rename Seal and Unseal to better describe what they do | |
* seal() should include an HMAC or integrity check to ensure that the encrypted data has not been tampered with. | * seal() should include an HMAC or integrity check to ensure that the encrypted data has not been tampered with. | ||
| − | * The API should include support for key rotation | + | * The API should include support for key rotation; indicated key used for encryption of data |
* The API should allow key management to be externalized, to allow developers to integrate their own key management strategies (such as a PKI). | * The API should allow key management to be externalized, to allow developers to integrate their own key management strategies (such as a PKI). | ||
* The documentation for each method should indicate whether it is designed to protect integrity, confidentiality, or both; and whether it is suitable for encrypting transient items (such as hidden form fields) or is designed for long-term storage. | * The documentation for each method should indicate whether it is designed to protect integrity, confidentiality, or both; and whether it is suitable for encrypting transient items (such as hidden form fields) or is designed for long-term storage. | ||
Revision as of 14:43, 11 December 2008
Feature Overview
TODO
Possible Enhancements
- Potentially rename Seal and Unseal to better describe what they do
- seal() should include an HMAC or integrity check to ensure that the encrypted data has not been tampered with.
- The API should include support for key rotation; indicated key used for encryption of data
- The API should allow key management to be externalized, to allow developers to integrate their own key management strategies (such as a PKI).
- The documentation for each method should indicate whether it is designed to protect integrity, confidentiality, or both; and whether it is suitable for encrypting transient items (such as hidden form fields) or is designed for long-term storage.
