[145920] in cryptography@c2.net mail archive


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

daemon@ATHENA.MIT.EDU (Thai Duong)
Tue Sep 28 07:35:51 2010

In-Reply-To: <E1P0T4g-0005IU-6Q@login02.fos.auckland.ac.nz>
Date: Tue, 28 Sep 2010 15:39:35 +0700
From: Thai Duong <thaidn@gmail.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Cc: cryptography@metzdowd.com

On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann
<pgut001@cs.auckland.ac.nz> wrote:

> Ye gods, how can you screw something that simple up that much? =A0They us=
e the
> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwa=
rds!

I guess they just follow SSL.

BTW, they screw up more badly in other places. Download .NET
Reflector, decompile .NET source, and do a grep 'DecryptString',
you'll see at least three places where they don't even use a MAC at
all.

Thai.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[145920] in cryptography@c2.net mail archive

Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

daemon@ATHENA.MIT.EDU (Thai Duong)Tue Sep 28 07:35:51 2010

daemon@ATHENA.MIT.EDU (Thai Duong)
Tue Sep 28 07:35:51 2010