'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

[Peter Gutmann]

=JeffH <Jeff.Hodges at KingsMountain.com> quotes:

>"We knew ASP.NET was vulnerable to our attack several months ago, but we
>didn't know how serious it is until a couple of weeks ago. It turns out that
>the vulnerability in ASP.NET is the most critical amongst other frameworks.
>In short, it totally destroys ASP.NET security," said Thai Duong, who along
>with Juliano Rizzo, developed the attack against ASP.NET.

The earlier work is also pretty devastating against CAPTCHAs (as well as being
a damn good read, "Sudo make me a CAPTCHA" :-).  A great many CAPTCHAs work by
using a hidden form field containing the encrypted solution to the CAPTCHA,
which is then POSTed back to the server along with the client's solution (this
is needed to make the operation stateless).  If the decrypted version matches
what the client provides, they've solved the CAPTCHA.  So all an attacker has
to do is solve one CAPTCHA manually and then replay the encrypted version back
along with the solution as often as they like, you don't need to hire a
Pakistani Internet cafe any more for your CAPTCHA-breaking.  This destroys an
awful lot of CAPTCHAs, and isn't at all easy to fix because of the requirement
to keep it stateless.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com