Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Crypto Attack Affects Millions of ASP.NET Apps

Posted by CmdrTaco on from the duck-and-cover dept.

Trailrunner7 writes "A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications."

7 of 156 comments (clear)

  1. Not so bad after all... by EvilRyry · · Score: 4, Informative

    >If the padding is invalid, the error message that the sender gets will give him some information about the way that the site's decryption process works.

    This is one reason you should send user friendly error messages to your consumers instead of stack traces, stack traces can contain details that an attacker could use against you. It sounds like you're safe if you're following best practices already.

  2. Re:Who knew! by ammorais · · Score: 5, Interesting

    What a surprise, encryption has flaws!

    RTFA. It's not about flaws in encryption. It's about "ASP.NET's implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified"
    So it's the ASP.NET AES implementation that has flaws. The problem seems to be that the errors reveal enough information about how to decrypt the data.

  3. Re:when it comes to anything important: by TheNinjaroach · · Score: 5, Insightful

    roll your own at the lowest possible layer. anything else and you're leaving your chin open.

    I don't know about that. I'm not out to write my own implementation of OpenSSL anytime soon. Some tasks are simply best left to field experts.

    --
    I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
  4. Re:Who knew! by Anonymous Coward · · Score: 4, Informative

    What a surprise, encryption has flaws!

    Nope, the cryptography is still flawless. ASP.NET just failed to use it correctly. AES-CBC would be perfectly secure if they used MAC to authenticate the data. MACs have been a critical part of crypto protocol design since the "DES ages" and padding oracle attacks have been known since 2002.
    Just like RC4 is still secure if used properly, but WEP is broken due to protocol flaws (the problems with RC4 were known before WEP was designed).

    So kids, make sure you always use MAC with your ciphers.

  5. 100% reliable? by Mongoose+Disciple · · Score: 4, Insightful

    TFA has a bizarre idea of a "100% reliable" attack:

    "It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time."

    By that logic, this attack is 100% reliable against (web platform of your choice) too.

    Beyond that, this attack requires fairly verbose error messages be sent back to the user of a web application. While I'm sure there do exist some ASP sites where this is the case, I don't think it has been in any of the non-intranet sites I've seen in my career.

    It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.

  6. Re:Who knew! by Mongoose+Disciple · · Score: 4, Insightful

    Respectfully, are you sure you understand how a one-time pad works?

    Attempting to brute force a one-time pad is as likely to produce a third option:

    3) The account numbers to the secret Swiss Bank account are 3435464482 and 363578345. Please do not access the accounts more than once a month.

    as your #1. In other words, the same message with totally different account numbers. Or any other message of the same length.

  7. Re:Who knew! by zindorsky · · Score: 4, Insightful

    Even one time pads are susceptible to brute force attacks.

    Nope, absolutely incorrect. That's what makes one-time pads different. When the key length is the same as the plaintext length, it is possible have perfect security. Look up unicity distance.

    If the original was normal human readable text it becomes immediately obvious when your brute force succeeds and a subsequent dictionary comparison of each word yields a hit.

    But your brute force attack will yield every single possible plaintext (with the same length as the original plaintext). Which is the real one?

    For example, if the ciphertext is BWIJAA, your brute force attack will get ATTACK for one key, and GOHOME for another. (And every other 6 character string.)

    --
    If the geiger counter does not click, the coffee, she is not thick.