'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Thai Duong
thaidn at gmail.com
Tue Sep 28 04:39:35 EDT 2010
On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann
<pgut001 at cs.auckland.ac.nz> wrote:
> Ye gods, how can you screw something that simple up that much? They use the
> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards!
I guess they just follow SSL.
BTW, they screw up more badly in other places. Download .NET
Reflector, decompile .NET source, and do a grep 'DecryptString',
you'll see at least three places where they don't even use a MAC at
all.
Thai.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list