[145928] in cryptography@c2.net mail archive
Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
daemon@ATHENA.MIT.EDU (Kevin W. Wall)
Wed Sep 29 23:42:04 2010
Date: Tue, 28 Sep 2010 20:08:52 -0400
From: "Kevin W. Wall" <kevin.w.wall@gmail.com>
To: Thai Duong <thaidn@gmail.com>
CC: Peter Gutmann <pgut001@cs.auckland.ac.nz>, cryptography@metzdowd.com
In-Reply-To: <AANLkTikd9V=9gyPL6XJscP-SSjDa6q0fWm=j45aGZeM1@mail.gmail.com>
Thai Duong wrote:
> On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann
> <pgut001@cs.auckland.ac.nz> wrote:
>
>> Ye gods, how can you screw something that simple up that much? They use the
>> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards!
>
> I guess they just follow SSL.
>
> BTW, they screw up more badly in other places. Download .NET
> Reflector, decompile .NET source, and do a grep 'DecryptString',
> you'll see at least three places where they don't even use a MAC at
> all.
So, I think I brought this up once before with Thai, but isn't the
pre-shared key version of W3C's XML Encrypt also going to be vulnerable
to a padding oracle attack. IIRC, W3C doesn't specify MAC at all, so unless
you use XML Digital Signature after using XML Encrypt w/ a PSK, then
it seems to me you are screwed in that case as well. And there are
some cases where using a random session key that's encrypted with a
recipient's public key is just not scalable (e.g., when sending out
to over something like Java Message Service, or the Tibco Bus, or
almost anything that uses multicast). And even if a new XML Encrypt
spec for using with PSK was adopted tomorrow, the adoption would take
quite a long time. Sure hope I'm wrong about that. Maybe one of
you real cryptographers can set me straight on this.
-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents." -- Nathaniel Borenstein, co-creator of MIME
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
