'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

=JeffH Jeff.Hodges at KingsMountain.com
Mon Sep 13 17:34:10 EDT 2010


practical "Padding Oracle Attacks" (cf travis' msg "padding attack vs. PKCS7" 
of Thu, 11 Jun 2009 11:37:16 -0500)...


'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
<http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310#>
by Dennis Fisher
September 13, 2010, 7:58AM

A pair of security researchers have implemented an attack that exploits the way 
that ASP.NET Web applications handle encrypted session cookies, a weakness that 
could enable an attacker to hijack users' online banking sessions and cause 
other severe problems in vulnerable applications. Experts say that the bug, 
which will be discussed in detail at the Ekoparty conference in Argentina this 
week [0], affects millions of Web applications.

The problem lies in the way that ASP.NET, Microsoft's popular Web framework, 
implements the AES encryption algorithm to protect the integrity of the cookies 
these applications generate to store information during user sessions. A common 
mistake is to assume that encryption protects the cookies from tampering so 
that if any data in the cookie is modified, the cookie will not decrypt 
correctly. However, there are a lot of ways to make mistakes in crypto 
implementations, and when crypto breaks, it usually breaks badly.

"We knew ASP.NET was vulnerable to our attack several months ago, but we didn't 
know how serious it is until a couple of weeks ago. It turns out that the 
vulnerability in ASP.NET is the most critical amongst other frameworks. In 
short, it totally destroys ASP.NET security," said Thai Duong, who along with 
Juliano Rizzo, developed the attack against ASP.NET.

The pair have developed a tool specifically for use in this attack, called the 
Padding Oracle Exploit Tool [1]. Their attack is an application of a technique 
that's been known since at least 2002, when Serge Vaudenay presented a paper at 
on the topic at Eurocrypt [2].


In this case, ASP.NET's implementation of AES has a bug in the way that it 
deals with errors when the encrypted data in a cookie has been modified. If the 
ciphertext has been changed, the vulnerable application will generate an error, 
which will give an attacker some information about the way that the 
application's decryption process works. More errors means more data. And 
looking at enough of those errors can give the attacker enough data to make the 
number of bytes that he needs to guess to find the encryption key small enough 
that it's actually possible.

The attack allows someone to decrypt sniffed cookies, which could contain 
valuable data such as bank balances, Social Security numbers or crypto keys. 
The attacker may also be able to create authentication tickets for a vulnerable 
Web app and abuse other processes that use the application's crypto API.

Rizzo and Duong did similar work earlier this year on JavaServer Faces and 
other Web frameworks that was presented at Black Hat Europe [3]. They continued 
their research and found that ASP.NET was vulnerable to the same kind of 
attack. The type of attack is known as a padding oracle attack and it relies on 
the Web application using cipher-block chaining mode for its encryption, which 
many apps do.

<snip/>

[0] http://ekoparty.org/juliano-rizzo-2010.php

[1] Practical Padding Oracle Attacks
     http://netifera.com/research/

[2] http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf

[3] 
<http://netifera.com/research/poet/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf>


---
end


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list