Return-Path: 
 <dev-return-5719-apmail-shiro-dev-archive=shiro.apache.org@shiro.apache.org>
X-Original-To: apmail-shiro-dev-archive@www.apache.org
Delivered-To: apmail-shiro-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id F189790B4
	for <apmail-shiro-dev-archive@www.apache.org>;
 Tue, 12 Mar 2013 17:35:48 +0000 (UTC)
Received: (qmail 57334 invoked by uid 500); 12 Mar 2013 17:24:27 -0000
Delivered-To: apmail-shiro-dev-archive@shiro.apache.org
Received: (qmail 26935 invoked by uid 500); 12 Mar 2013 17:21:31 -0000
Mailing-List: contact dev-help@shiro.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@shiro.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@shiro.apache.org>
List-Post: <mailto:dev@shiro.apache.org>
List-Id: <dev.shiro.apache.org>
Reply-To: dev@shiro.apache.org
Delivered-To: mailing list dev@shiro.apache.org
Received: (qmail 70598 invoked by uid 99); 12 Mar 2013 13:25:23 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Mar 2013 13:25:23 +0000
X-ASF-Spam-Status: No, hits=-0.7 required=5.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of jim.manico@owasp.org designates
 74.125.83.52 as permitted sender)
Received: from [74.125.83.52] (HELO mail-ee0-f52.google.com) (74.125.83.52)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Mar 2013 13:25:16 +0000
Received: by mail-ee0-f52.google.com with SMTP id b15so2559065eek.25
        for <dev@shiro.apache.org>; Tue, 12 Mar 2013 06:24:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=x-received:message-id:date:from:user-agent:mime-version:to:subject
         :references:in-reply-to:x-enigmail-version:content-type
         :content-transfer-encoding:x-gm-message-state;
        bh=/MUI6lyaf6PFMJWHCDq2gnwEa/6lhuv/GQlG7RFAmk8=;
        b=AoZDujBEK89ooOaK+8ZqufkpN+ehMZm2wwGKjOc9J3Sw8l/P7+JPwTM7ZiK1HRzJYB
         5IhFgsepHX+J/extY1wDtZjiUJmvL/8QxEguNhUesJGxExs7FI3wAEuKHdFRe6pjcwLm
         gmgJQaMw6i0r0YSi2kvwVnAh78CXFbqGxipjbFC8+o50XeSesSz1QXgAcDdsKkRYhI6a
         aGwMhqO0gWKf+AZ/JrmnkXRqU5Di8K4rvkg+55uIE0Rs3/7b+Duok99gbJUe+uOyO6rj
         lkJIzzFxlDHDR/DXwJVgRJU/lwVoWaEF1KlnxudPADwlweDgsShnjJ5PE3JaF8G5euq1
         QmYw==
X-Received: by 10.14.173.67 with SMTP id u43mr48128748eel.22.1363094695423;
        Tue, 12 Mar 2013 06:24:55 -0700 (PDT)
Received: from heembo.local (seg75-3-82-226-180-88.fbx.proxad.net.
 [82.226.180.88])
        by mx.google.com with ESMTPS id
 m46sm29724980eeo.16.2013.03.12.06.24.52
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Tue, 12 Mar 2013 06:24:54 -0700 (PDT)
Message-ID: <513F2CBE.8060008@owasp.org>
Date: Tue, 12 Mar 2013 06:25:18 -0700
From: Jim Manico <jim.manico@owasp.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
 rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: dev@shiro.apache.org
Subject: Re: Crypto
References: <JIRA.12636252.1362934626892@arcas>
 <JIRA.12636252.1362934626892.415302.1362934632420@arcas>
 <513CBCD0.5040604@owasp.org>
 <CAAtvD4W+iYniODyJU143sqOc3TPiNdB1e2GoN2uE+0UL-qxjYw@mail.gmail.com>
In-Reply-To: 
 <CAAtvD4W+iYniODyJU143sqOc3TPiNdB1e2GoN2uE+0UL-qxjYw@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Gm-Message-State: 
 ALoCoQnDDhivuxgdxP4bpFo4DbQplR5zzGnEbd+euHqt7vlJAdPC5ZQx2bpFKj8HV7AhHUaUuLcQ
X-Virus-Checked: Checked by ClamAV on apache.org

Fantastic answer! Thank you Les.

First of all, the OWASP Encoder was updated and is what we consider to
be production quality. This might be a great addition to Shiro for XSS
Defense. If you need us to re-license it in any way, please just ask.

https://code.google.com/p/owasp-java-encoder/

JCE's defaults are criminal. :)


I'm looking for volunteers in the crypto community to do a dig into your
work. Crypto is brutal, and assurance helps the cause. :)

Cool?

Aloha,
Jim



> Aloha Jim - nice to see you again :)
> 
>> I'm reviewing the Shiro crypto API's. What an excellent and simple to use abstraction!
> 
> Glad you like it!
> 
>> Have there been any review of Shiro's crypto by a professional cryptographer or similar resource? Have any of those reports been made public?
> 
> Nothing that is formal or 'white paper'ish, although we would be
> hugely appreciative of any efforts that professionals might wish to
> undertake.
> 
> Just for clarity (although you probably know this, but I want to
> document for posterity), Shiro does not implement any cryptography
> algorithms itself.  As you stated, it is an abstraction - it 'sits on
> top' of the more complex JCE API components, implementing best
> practices with that API.  So you can use the default JCE or plug in
> something like Bouncy Castle, and Shiro will work just fine,
> delegating to the underlying JCE architecture.
> 
>> For example, one of the creators of AES told me; "When using AES in CBC mode your IV's really should be unique per message and the IV's should stay in secret".
> 
> Far be it from me to contradict one of the AES authors ;)  Shiro does
> almost all of that out of the box - keeping the IVs secret is not
> something Shiro does at the moment however due to some complexity
> requirements that would impose on the Shiro end-user (please feel free
> to add a Jira improvement issue - I'd be happy to take a look at it).
> 
> That being said, Shiro's defaults for block ciphers is *much* more
> secure than the JDK defaults.  For example, the JDK defaults to using
> AES in ECB mode and I believe no padding scheme, which is effectively
> useless.  Here is an example showing why:
> 
> Plaintext: http://www.slideshare.net/chunsaker/intro-to-apache-shiro/41
> Ciphertext w/ JDK's defaults:
> http://www.slideshare.net/chunsaker/intro-to-apache-shiro/42
> Ciphertext w/ Shiro's defaults:
> http://www.slideshare.net/chunsaker/intro-to-apache-shiro/43
> 
> The reason the JDK does this is that almost all other cipher modes of
> operation require an IV and the JDK's APIs are low level enough such
> that they can't (won't) generate an IV for you automatically.
> 
> Shiro however does generate cryptographically strong random IVs and
> embeds them in the ciphertext output.  When decrypting, the IV is
> 'unembedded' and then used to decrypt the ciphertext.  The IV size is
> the same size as the block size to ensure no other block is
> distinguishable.  Additionally, Shiro uses a proper padding scheme to
> ensure all output remains a multiple of the block size, to
> additionally help ensure patterns are hard to distinguish.
> 
> So while Shiro embeds the random IVs in the message and does not keep
> them secret, its default approach with secure random IVs and padding
> schemes is *much* more secure than using the JDK's defaults.
> 
> With the exception of (few) crypto experts, almost all developers I've
> personally come across had no idea the JDK's defaults are so insecure
> and had no idea they weren't using it correctly.  At least Shiro gets
> everyone to a level of security that most wouldn't have achieved
> otherwise.
> 
> Finally, the reason why Shiro (currently) embeds the IVs in the
> ciphertext instead of keeping them secret is one of infrastructural
> complexity that would be imposed on Shiro end users: we'd need to
> support a storage abstraction.  While this wouldn't be hard to
> incorporate into Shiro (probably just a few interfaces), it would
> probably add more confusion to an already confusing topic.
> 
> That being said, as with all things in Shiro, we can continue with our
> sensible defaults out-of-the-box and more advanced users can simply
> turn on the storage feature.  Please open a Jira issue if you'd like
> to see this added (and as always, patches welcome! :)).
> 
>> My apologies if I'm posting in the wrong place.
> 
> None necessary - this is the right place :)  Thanks for the great questions!
> 
> Best,
> 
> Les Hazlewood
> CTO, Stormapth
> @lhazlewood
>