[145875] in cryptography@c2.net mail archive
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Wed Sep 15 08:32:21 2010
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: cryptography@metzdowd.com, tom@ritter.vg
In-Reply-To: <AANLkTin_YnvfdanMRuwQhnw_f27vyZ_ibdbr-XtmiTtY@mail.gmail.com>
Date: Wed, 15 Sep 2010 16:07:24 +1200
Tom Ritter <tom@ritter.vg> writes:
>What's weird is I find confusing literature about what *is* the default for
>protecting the viewstate.
I still haven't seen the paper/slides from the talk so it's a bit hard to
comment on the specifics, but if you're using .NET's FormsAuthenticationTicket
(for cookie-based auth, not viewstate protection) then you get MAC protection
built-in, along with other nice features like sliding cookie expiration (the
cookie expires relative to the last active use of the site rather than an
absolute time after it was set). I've used it in the past as an example of
how to do cookie-based auth right
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
