[145927] in cryptography@c2.net mail archive
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
daemon@ATHENA.MIT.EDU (James A. Donald)
Wed Sep 29 23:41:09 2010
Date: Wed, 29 Sep 2010 08:42:49 +1000
From: "James A. Donald" <jamesd@echeque.com>
Reply-To: jamesd@echeque.com
To: Thai Duong <thaidn@gmail.com>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, cryptography@metzdowd.com
In-Reply-To: <AANLkTi=qFTE_ZkcbmW6Gs0jRZM=ykgnipkT=aJJOzUYz@mail.gmail.com>
On 2010-09-28 1:58 PM, Thai Duong wrote:
> On Sat, Sep 18, 2010 at 8:43 PM, Peter Gutmann
> <pgut001@cs.auckland.ac.nz> wrote:
>>> I'm one of the authors of the attack. Actually if you look closer, you'll see
>>> that they do it wrong in many ways.
>>
>> The FormsAuth as well, not just the view state? �Interesting, I thought they
>> had that one right, at least.
>
> We promised Microsoft not to release anything before they have a
> working patch. Now they have it, so we release the slide we presented
> at EKOPARTY. Check it out.
>
> http://netifera.com/research/poet//PaddingOraclesEverywhereEkoparty2010.pdf
Now I understand why one should, counterintuitively, encrypt then MAC.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
