FYI, there don't appear to be any details (yet), but it is suggestive
of the general comments that you shouldn't really report cryptographic
mistakes in a deterministic way. As to how to mitigate it
specifically, hopefully there will be some comments soon.


---------- Forwarded message ----------
From: =JeffH <[email protected]>
Date: Tue, Sep 14, 2010 at 7:34 AM
Subject: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
To: [email protected]


practical "Padding Oracle Attacks" (cf travis' msg "padding attack vs.
PKCS7" of Thu, 11 Jun 2009 11:37:16 -0500)...


'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
<http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310#>
by Dennis Fisher
September 13, 2010, 7:58AM

A pair of security researchers have implemented an attack that
exploits the way that ASP.NET Web applications handle encrypted
session cookies, a weakness that could enable an attacker to hijack
users' online banking sessions and cause other severe problems in
vulnerable applications. Experts say that the bug, which will be
discussed in detail at the Ekoparty conference in Argentina this week
[0], affects millions of Web applications.

The problem lies in the way that ASP.NET, Microsoft's popular Web
framework, implements the AES encryption algorithm to protect the
integrity of the cookies these applications generate to store
information during user sessions. A common mistake is to assume that
encryption protects the cookies from tampering so that if any data in
the cookie is modified, the cookie will not decrypt correctly.
However, there are a lot of ways to make mistakes in crypto
implementations, and when crypto breaks, it usually breaks badly.

"We knew ASP.NET was vulnerable to our attack several months ago, but
we didn't know how serious it is until a couple of weeks ago. It turns
out that the vulnerability in ASP.NET is the most critical amongst
other frameworks. In short, it totally destroys ASP.NET security,"
said Thai Duong, who along with Juliano Rizzo, developed the attack
against ASP.NET.

The pair have developed a tool specifically for use in this attack,
called the Padding Oracle Exploit Tool [1]. Their attack is an
application of a technique that's been known since at least 2002, when
Serge Vaudenay presented a paper at on the topic at Eurocrypt [2].


In this case, ASP.NET's implementation of AES has a bug in the way
that it deals with errors when the encrypted data in a cookie has been
modified. If the ciphertext has been changed, the vulnerable
application will generate an error, which will give an attacker some
information about the way that the application's decryption process
works. More errors means more data. And looking at enough of those
errors can give the attacker enough data to make the number of bytes
that he needs to guess to find the encryption key small enough that
it's actually possible.

The attack allows someone to decrypt sniffed cookies, which could
contain valuable data such as bank balances, Social Security numbers
or crypto keys. The attacker may also be able to create authentication
tickets for a vulnerable Web app and abuse other processes that use
the application's crypto API.

Rizzo and Duong did similar work earlier this year on JavaServer Faces
and other Web frameworks that was presented at Black Hat Europe [3].
They continued their research and found that ASP.NET was vulnerable to
the same kind of attack. The type of attack is known as a padding
oracle attack and it relies on the Web application using cipher-block
chaining mode for its encryption, which many apps do.

<snip/>

[0] http://ekoparty.org/juliano-rizzo-2010.php

[1] Practical Padding Oracle Attacks
   http://netifera.com/research/

[2] http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf

[3] 
<http://netifera.com/research/poet/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf>


---
end


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]



-- 
silky

http://dnoondt.wordpress.com/

"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

Reply via email to