Demonstration of the attack against .NET Nuke (see below).

Relevant MS websites describing fixes:
 - http://www.microsoft.com/technet/security/advisory/2416728.mspx
 - 
http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx


---------- Forwarded message ----------
From: Thai Duong <[email protected]>
Date: Sat, Sep 18, 2010 at 10:52 AM
Subject: Re: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
To: Peter Gutmann <[email protected]>
Cc: [email protected], [email protected]


On Wed, Sep 15, 2010 at 11:07 AM, Peter Gutmann
<[email protected]> wrote:
> Tom Ritter <[email protected]> writes:
>
>>What's weird is I find confusing literature about what *is* the default for
>>protecting the viewstate.
>
> I still haven't seen the paper/slides from the talk so it's a bit hard to
> comment on the specifics, but if you're using .NET's FormsAuthenticationTicket
> (for cookie-based auth, not viewstate protection) then you get MAC protection
> built-in, along with other nice features like sliding cookie expiration (the
> cookie expires relative to the last active use of the site rather than an
> absolute time after it was set).  I've used it in the past as an example of
> how to do cookie-based auth right
>
> Peter.
>

I'm one of the authors of the attack. Actually if you look closer,
you'll see that they do it wrong in many ways.

Here is a video that we just release this morning at EKOPARTY:
http://www.youtube.com/watch?v=yghiC_U2RaM

Slide, paper, and tools will be released on http://www.netifera.com/research.

Thai.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [email protected]



-- 
silky

http://dnoondt.wordpress.com/

"Every morning when I wake up, I experience an exquisite joy — the joy
of being this signature."

Reply via email to