[145903] in cryptography@c2.net mail archive
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
daemon@ATHENA.MIT.EDU (Thai Duong)
Mon Sep 27 20:03:23 2010
In-Reply-To: <E1OvjHI-0008Dy-2J@wintermute02.cs.auckland.ac.nz>
Date: Sat, 18 Sep 2010 07:52:27 +0700
From: Thai Duong <thaidn@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: cryptography@metzdowd.com, tom@ritter.vg
On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann
<pgut001@cs.auckland.ac.nz> wrote:
> Tom Ritter <tom@ritter.vg> writes:
>
>>What's weird is I find confusing literature about what *is* the default f=
or
>>protecting the viewstate.
>
> I still haven't seen the paper/slides from the talk so it's a bit hard to
> comment on the specifics, but if you're using .NET's FormsAuthenticationT=
icket
> (for cookie-based auth, not viewstate protection) then you get MAC protec=
tion
> built-in, along with other nice features like sliding cookie expiration (=
the
> cookie expires relative to the last active use of the site rather than an
> absolute time after it was set). =A0I've used it in the past as an exampl=
e of
> how to do cookie-based auth right
>
> Peter.
>
I'm one of the authors of the attack. Actually if you look closer,
you'll see that they do it wrong in many ways.
Here is a video that we just release this morning at EKOPARTY:
http://www.youtube.com/watch?v=3DyghiC_U2RaM
Slide, paper, and tools will be released on http://www.netifera.com/researc=
h.
Thai.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
