ouch. That could get ugly. However, there's one fairly eyebrow raising line in there :
"The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys" If you're putting that sort of info into a cookie, you're probably doing it wrong. However if this exploit let you jump in on an authenticated session, then it could cause trouble. Damian On Tue, Sep 14, 2010 at 9:18 AM, silky <[email protected]> wrote: > FYI, there don't appear to be any details (yet), but it is suggestive > of the general comments that you shouldn't really report cryptographic > mistakes in a deterministic way. As to how to mitigate it > specifically, hopefully there will be some comments soon. > > > ---------- Forwarded message ---------- > From: =JeffH <[email protected]> > Date: Tue, Sep 14, 2010 at 7:34 AM > Subject: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps > To: [email protected] > > > practical "Padding Oracle Attacks" (cf travis' msg "padding attack vs. > PKCS7" of Thu, 11 Jun 2009 11:37:16 -0500)... > > > 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps > < > http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310# > > > by Dennis Fisher > September 13, 2010, 7:58AM > > A pair of security researchers have implemented an attack that > exploits the way that ASP.NET Web applications handle encrypted > session cookies, a weakness that could enable an attacker to hijack > users' online banking sessions and cause other severe problems in > vulnerable applications. Experts say that the bug, which will be > discussed in detail at the Ekoparty conference in Argentina this week > [0], affects millions of Web applications. > > The problem lies in the way that ASP.NET, Microsoft's popular Web > framework, implements the AES encryption algorithm to protect the > integrity of the cookies these applications generate to store > information during user sessions. A common mistake is to assume that > encryption protects the cookies from tampering so that if any data in > the cookie is modified, the cookie will not decrypt correctly. > However, there are a lot of ways to make mistakes in crypto > implementations, and when crypto breaks, it usually breaks badly. > > "We knew ASP.NET was vulnerable to our attack several months ago, but > we didn't know how serious it is until a couple of weeks ago. It turns > out that the vulnerability in ASP.NET is the most critical amongst > other frameworks. In short, it totally destroys ASP.NET security," > said Thai Duong, who along with Juliano Rizzo, developed the attack > against ASP.NET. > > The pair have developed a tool specifically for use in this attack, > called the Padding Oracle Exploit Tool [1]. Their attack is an > application of a technique that's been known since at least 2002, when > Serge Vaudenay presented a paper at on the topic at Eurocrypt [2]. > > > In this case, ASP.NET's implementation of AES has a bug in the way > that it deals with errors when the encrypted data in a cookie has been > modified. If the ciphertext has been changed, the vulnerable > application will generate an error, which will give an attacker some > information about the way that the application's decryption process > works. More errors means more data. And looking at enough of those > errors can give the attacker enough data to make the number of bytes > that he needs to guess to find the encryption key small enough that > it's actually possible. > > The attack allows someone to decrypt sniffed cookies, which could > contain valuable data such as bank balances, Social Security numbers > or crypto keys. The attacker may also be able to create authentication > tickets for a vulnerable Web app and abuse other processes that use > the application's crypto API. > > Rizzo and Duong did similar work earlier this year on JavaServer Faces > and other Web frameworks that was presented at Black Hat Europe [3]. > They continued their research and found that ASP.NET was vulnerable to > the same kind of attack. The type of attack is known as a padding > oracle attack and it relies on the Web application using cipher-block > chaining mode for its encryption, which many apps do. > > <snip/> > > [0] http://ekoparty.org/juliano-rizzo-2010.php > > [1] Practical Padding Oracle Attacks > http://netifera.com/research/ > > [2] http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf > > [3] < > http://netifera.com/research/poet/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf > > > > > --- > end > > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [email protected] > > > > -- > silky > > http://dnoondt.wordpress.com/ > > "Every morning when I wake up, I experience an exquisite joy — the joy > of being this signature." >
