'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Kevin W. Wall
kevin.w.wall at gmail.com
Tue Sep 28 20:08:52 EDT 2010
Thai Duong wrote:
> On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann
> <pgut001 at cs.auckland.ac.nz> wrote:
>
>> Ye gods, how can you screw something that simple up that much? They use the
>> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards!
>
> I guess they just follow SSL.
>
> BTW, they screw up more badly in other places. Download .NET
> Reflector, decompile .NET source, and do a grep 'DecryptString',
> you'll see at least three places where they don't even use a MAC at
> all.
So, I think I brought this up once before with Thai, but isn't the
pre-shared key version of W3C's XML Encrypt also going to be vulnerable
to a padding oracle attack. IIRC, W3C doesn't specify MAC at all, so unless
you use XML Digital Signature after using XML Encrypt w/ a PSK, then
it seems to me you are screwed in that case as well. And there are
some cases where using a random session key that's encrypted with a
recipient's public key is just not scalable (e.g., when sending out
to over something like Java Message Service, or the Tibco Bus, or
almost anything that uses multicast). And even if a new XML Encrypt
spec for using with PSK was adopted tomorrow, the adoption would take
quite a long time. Sure hope I'm wrong about that. Maybe one of
you real cryptographers can set me straight on this.
-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list