'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Thai Duong
thaidn at gmail.com
Fri Sep 17 20:52:27 EDT 2010
On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Tom Ritter <tom at ritter.vg> writes:
>
>>What's weird is I find confusing literature about what *is* the default for
>>protecting the viewstate.
>
> I still haven't seen the paper/slides from the talk so it's a bit hard to
> comment on the specifics, but if you're using .NET's FormsAuthenticationTicket
> (for cookie-based auth, not viewstate protection) then you get MAC protection
> built-in, along with other nice features like sliding cookie expiration (the
> cookie expires relative to the last active use of the site rather than an
> absolute time after it was set). I've used it in the past as an example of
> how to do cookie-based auth right
>
> Peter.
>
I'm one of the authors of the attack. Actually if you look closer,
you'll see that they do it wrong in many ways.
Here is a video that we just release this morning at EKOPARTY:
http://www.youtube.com/watch?v=yghiC_U2RaM
Slide, paper, and tools will be released on http://www.netifera.com/research.
Thai.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list