Cryptography in the web: The case of cryptographic design flaws in ASP.NET

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2011, Pages 481-489

  Duong, Thai ^a   Rizzo, Juliano ^b  

^a Vnsecurity/HVAOnline   (Viet Nam)

^b Netifera   (Argentina)

Author keywords

Application security; Cryptography; Decryption oracle attack; Unauthenticated encryption; Web security

Indexed keywords

ACCESS CONTROL;

APPLICATION SECURITY; CRYPTOGRAPHICS; DECRYPTION ORACLE ATTACK; LARGE PARTS; MICROSOFT; ORACLE ATTACKS; SECURITY DESIGN; UNAUTHENTICATED ENCRYPTION; WEB APPLICATION FRAMEWORKS; WEB SECURITY;

CRYPTOGRAPHY;

EID: 80051989642     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2011.42     Document Type: Conference Paper

References (31)

1. P. Nguyen, "Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1. 2.3," in Advances in Cryptology-EUROCRYPT 2004. Springer, 2004, pp. 555-570.
2. I. Goldberg and D. Wagner, "Randomness and the Netscape Browser," Dr Dobb's Journal-Software Tools for the Professional Programmer, vol. 21, no. 1, pp. 66-71, 1996.
3. P. Gutmann, "Lessons Learned in Implementing and Deploying Crypto Software," in Proc. USENIX Security Symp, 2002, pp. 315-325.
4. K. Jallad, J. Katz, and B. Schneier, "Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG," Information Security, pp. 90-101, 2002.
5. J. Katz and B. Schneier, "A Chosen-Ciphertext Attack against Several E-mail Encryption Protocols," in Proceedings of the 9th conference on USENIX Security Symposium-Volume 9. USENIX Association, 2000, p. 18.
6. B. Schneier, "Security in the Real World: How To Evaluate Security Technology," Computer Security Journal, vol. 15, no. 4, p. 1, 1999.
7. T. Yu, S. Hartman, and K. Raeburn, "The Perils of Unauthenticated Encryption: Kerberos Version 4," in Proc. NDSS, vol. 4. Citeseer, 2004.
8. M. Bellare, T. Kohno, and C. Namprempre, "Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm," ACM Transactions on Information and System Security (TISSEC), vol. 7, no. 2, p. 241, 2004.
9. M. Bellare and C. Namprempre, "Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm," Journal of Cryptology, vol. 21, no. 4, pp. 469-491, 2008.
10. J. Black and H. Urtubia, "Side-channel Attacks On Symmetric Encryption Schemes: The Case for Authenticated Encryption."
11. K. Paterson and A. Yau, "Cryptography in Theory and Practice: The Case of Encryption in IPsec," Advances in Cryptology-EUROCRYPT 2006, pp. 12-29, 2006. (Pubitemid 44072230)
12. ASP.NET, "The Official Microsoft Web Development Framework. http://www.asp.net."
13. S. Vaudenay, "Security Flaws Induced by CBC Padding-Applications to SSL," in Advances in Cryptology-EUROCRYPT 2002. Springer, 2002, pp. 534-545.
14. J. Rizzo and T. Duong, "Practical Padding Oracle Attacks," USENIX WOOT, 2010.
15. J. An, Y. Dodis, and T. Rabin, "On the Security of Joint Signature and Encryption," in Advances in Cryptology-EUROCRYPT 2002. Springer, 2002, pp. 83-107.
16. H. Krawczyk, "The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)," in Advances in Cryptology - CRYPTO 2001. Springer, 2001, pp. 310-331. (Pubitemid 33317923)
17. M. Dworkin, "NIST Recommendation for Block Cipher Modes of Operation, Methods and Techniques," NIST Special Publication.
18. K. Paterson and A. Yau, "Padding Oracle Attacks On the ISO CBC Mode Encryption Standard," Topics in Cryptology-CT-RSA 2004, pp. 1995-1995, 2004.
19. S. Josefsson, "RFC 3548-The Base16, Base32, and Base64 Data Encodings. IETF," 2003.
20. T. Duong and J. Rizzo, "Padding Oracles Everywhere," EKOPARTY, 2010.
21. Microsoft. Microsoft Security Bulletin MS10-070 - Vulnerability in ASP.NET Could Allow Information Disclosure. [Online]. Available: http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx
22. B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux, "Password Interception in a SSL/TLS channel," Advances in Cryptology-CRYPTO 2003, pp. 583-599, 2003. (Pubitemid 137636965)
23. V. Klima and T. Rosa, "Side Channel Attacks On CBC Encrypted Messages in the PKCS# 7 Format," IACR ePrint Archive, vol. 98, p. 2003, 2003.
24. E. Young, T. Hudson, and R. Engelschall, "OpenSSL: The Open Source Toolkit for SSL/TLS," World Wide Web, http://www.openssl.org/, Last visited, vol. 9, 2011.
25. A. Dey and S. Weis, "Keyczar: A Cryptographic Toolkit," 2008.
26. P. Gutmann, "Cryptlib Encryption Tool Kit," 2008.
27. D. Bernstein, "Cryptography in NaCl."
28. A. Yau, K. Paterson, and C. Mitchell, "Padding Oracle Attacks on CBC-mode Encryption with Secret and Random IVs," in Fast Software Encryption. Springer, 2005, pp. 299-319. (Pubitemid 41425171)
29. S. Stubblebine and V. Gligor, "On Message Integrity in Cryptographic Protocols," in Research in Security and Privacy, 1992. Proceedings., 1992 IEEE Computer Society Symposium on. IEEE, 2002, pp. 85-104.
30. N. Borisov, I. Goldberg, and D. Wagner, "Intercepting Mobile Communications: The Insecurity of 802.11," in Proceedings of the 7th annual international conference on Mobile computing and networking. ACM, 2001, pp. 180-189.
31. S. Bellovin, "Problem Areas for the IP Security Protocols," in Proceedings of the Sixth Usenix Unix Security Symposium, 1996, pp. 205-214.