Peter Gutmann wrote: > Tom Ritter <t...@ritter.vg> writes: > >> What's weird is I find confusing literature about what *is* the default for >> protecting the viewstate. > > I still haven't seen the paper/slides from the talk so it's a bit hard to > comment on the specifics, but if you're using .NET's FormsAuthenticationTicket > (for cookie-based auth, not viewstate protection) then you get MAC protection > built-in, along with other nice features like sliding cookie expiration (the > cookie expires relative to the last active use of the site rather than an > absolute time after it was set). I've used it in the past as an example of > how to do cookie-based auth right
FYI...I just received confirmation from my company's on-site consultant from Microsoft that .NET's FormsAuthenticationTicket is also vulnerable to this padding oracle attack. So apparently Microsoft didn't apply the MAC protection quite right in their implementation. -kevin -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." -- Nathaniel Borenstein, co-creator of MIME --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com