practical "Padding Oracle Attacks" (cf travis' msg "padding attack vs. PKCS7"
of Thu, 11 Jun 2009 11:37:16 -0500)...
'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
<http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310#>
by Dennis Fisher
September 13, 2010, 7:58AM
A pair of security researchers have implemented an attack that exploits the way
that ASP.NET Web applications handle encrypted session cookies, a weakness that
could enable an attacker to hijack users' online banking sessions and cause
other severe problems in vulnerable applications. Experts say that the bug,
which will be discussed in detail at the Ekoparty conference in Argentina this
week [0], affects millions of Web applications.
The problem lies in the way that ASP.NET, Microsoft's popular Web framework,
implements the AES encryption algorithm to protect the integrity of the cookies
these applications generate to store information during user sessions. A common
mistake is to assume that encryption protects the cookies from tampering so
that if any data in the cookie is modified, the cookie will not decrypt
correctly. However, there are a lot of ways to make mistakes in crypto
implementations, and when crypto breaks, it usually breaks badly.
"We knew ASP.NET was vulnerable to our attack several months ago, but we didn't
know how serious it is until a couple of weeks ago. It turns out that the
vulnerability in ASP.NET is the most critical amongst other frameworks. In
short, it totally destroys ASP.NET security," said Thai Duong, who along with
Juliano Rizzo, developed the attack against ASP.NET.
The pair have developed a tool specifically for use in this attack, called the
Padding Oracle Exploit Tool [1]. Their attack is an application of a technique
that's been known since at least 2002, when Serge Vaudenay presented a paper at
on the topic at Eurocrypt [2].
In this case, ASP.NET's implementation of AES has a bug in the way that it
deals with errors when the encrypted data in a cookie has been modified. If the
ciphertext has been changed, the vulnerable application will generate an error,
which will give an attacker some information about the way that the
application's decryption process works. More errors means more data. And
looking at enough of those errors can give the attacker enough data to make the
number of bytes that he needs to guess to find the encryption key small enough
that it's actually possible.
The attack allows someone to decrypt sniffed cookies, which could contain
valuable data such as bank balances, Social Security numbers or crypto keys.
The attacker may also be able to create authentication tickets for a vulnerable
Web app and abuse other processes that use the application's crypto API.
Rizzo and Duong did similar work earlier this year on JavaServer Faces and
other Web frameworks that was presented at Black Hat Europe [3]. They continued
their research and found that ASP.NET was vulnerable to the same kind of
attack. The type of attack is known as a padding oracle attack and it relies on
the Web application using cipher-block chaining mode for its encryption, which
many apps do.
<snip/>
[0] http://ekoparty.org/juliano-rizzo-2010.php
[1] Practical Padding Oracle Attacks
http://netifera.com/research/
[2] http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf
[3]
<http://netifera.com/research/poet/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf>
---
end
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com