'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
James A. Donald
jamesd at echeque.com
Tue Sep 28 18:42:49 EDT 2010
On 2010-09-28 1:58 PM, Thai Duong wrote:
> On Sat, Sep 18, 2010 at 8:43 PM, Peter Gutmann
> <pgut001 at cs.auckland.ac.nz> wrote:
>>> I'm one of the authors of the attack. Actually if you look closer, you'll see
>>> that they do it wrong in many ways.
>>
>> The FormsAuth as well, not just the view state? �Interesting, I thought they
>> had that one right, at least.
>
> We promised Microsoft not to release anything before they have a
> working patch. Now they have it, so we release the slide we presented
> at EKOPARTY. Check it out.
>
> http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf
Now I understand why one should, counterintuitively, encrypt then MAC.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list