On 14 September 2010 10:01, Damian Maclennan <[email protected]> wrote:
> ouch. That could get ugly. > > However, there's one fairly eyebrow raising line in there : > > "The attack allows someone to decrypt sniffed cookies, which could > contain valuable data such as bank balances, Social Security numbers > or crypto keys" > > If you're putting that sort of info into a cookie, you're probably doing it > wrong. However if this exploit let you jump in on an authenticated session, > then it could cause trouble. > > > The cookie might have the hashed result of an SSN. Shouldn't, but might. > > On Tue, Sep 14, 2010 at 9:18 AM, silky <[email protected]> wrote: > >> FYI, there don't appear to be any details (yet), but it is suggestive >> of the general comments that you shouldn't really report cryptographic >> mistakes in a deterministic way. As to how to mitigate it >> specifically, hopefully there will be some comments soon. >> >> >> ---------- Forwarded message ---------- >> From: =JeffH <[email protected]> >> Date: Tue, Sep 14, 2010 at 7:34 AM >> Subject: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps >> To: [email protected] >> >> >> practical "Padding Oracle Attacks" (cf travis' msg "padding attack vs. >> PKCS7" of Thu, 11 Jun 2009 11:37:16 -0500)... >> >> >> 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps >> < >> http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310# >> > >> by Dennis Fisher >> September 13, 2010, 7:58AM >> >> A pair of security researchers have implemented an attack that >> exploits the way that ASP.NET Web applications handle encrypted >> session cookies, a weakness that could enable an attacker to hijack >> users' online banking sessions and cause other severe problems in >> vulnerable applications. Experts say that the bug, which will be >> discussed in detail at the Ekoparty conference in Argentina this week >> [0], affects millions of Web applications. >> >> The problem lies in the way that ASP.NET, Microsoft's popular Web >> framework, implements the AES encryption algorithm to protect the >> integrity of the cookies these applications generate to store >> information during user sessions. A common mistake is to assume that >> encryption protects the cookies from tampering so that if any data in >> the cookie is modified, the cookie will not decrypt correctly. >> However, there are a lot of ways to make mistakes in crypto >> implementations, and when crypto breaks, it usually breaks badly. >> >> "We knew ASP.NET was vulnerable to our attack several months ago, but >> we didn't know how serious it is until a couple of weeks ago. It turns >> out that the vulnerability in ASP.NET is the most critical amongst >> other frameworks. In short, it totally destroys ASP.NET security," >> said Thai Duong, who along with Juliano Rizzo, developed the attack >> against ASP.NET. >> >> The pair have developed a tool specifically for use in this attack, >> called the Padding Oracle Exploit Tool [1]. Their attack is an >> application of a technique that's been known since at least 2002, when >> Serge Vaudenay presented a paper at on the topic at Eurocrypt [2]. >> >> >> In this case, ASP.NET's implementation of AES has a bug in the way >> that it deals with errors when the encrypted data in a cookie has been >> modified. If the ciphertext has been changed, the vulnerable >> application will generate an error, which will give an attacker some >> information about the way that the application's decryption process >> works. More errors means more data. And looking at enough of those >> errors can give the attacker enough data to make the number of bytes >> that he needs to guess to find the encryption key small enough that >> it's actually possible. >> >> The attack allows someone to decrypt sniffed cookies, which could >> contain valuable data such as bank balances, Social Security numbers >> or crypto keys. The attacker may also be able to create authentication >> tickets for a vulnerable Web app and abuse other processes that use >> the application's crypto API. >> >> Rizzo and Duong did similar work earlier this year on JavaServer Faces >> and other Web frameworks that was presented at Black Hat Europe [3]. >> They continued their research and found that ASP.NET was vulnerable to >> the same kind of attack. The type of attack is known as a padding >> oracle attack and it relies on the Web application using cipher-block >> chaining mode for its encryption, which many apps do. >> >> <snip/> >> >> [0] http://ekoparty.org/juliano-rizzo-2010.php >> >> [1] Practical Padding Oracle Attacks >> http://netifera.com/research/ >> >> [2] http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf >> >> [3] < >> http://netifera.com/research/poet/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf >> > >> >> >> --- >> end >> >> >> --------------------------------------------------------------------- >> The Cryptography Mailing List >> Unsubscribe by sending "unsubscribe cryptography" to >> [email protected] >> >> >> >> -- >> silky >> >> http://dnoondt.wordpress.com/ >> >> "Every morning when I wake up, I experience an exquisite joy — the joy >> of being this signature." >> > > -- Meski "Going to Starbucks for coffee is like going to prison for sex. Sure, you'll get it, but it's going to be rough" - Adam Hills
