Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Web Security Is Hard

From: Jamie Riden <jamie.riden () gmail com>
Date: Wed, 3 Jun 2009 19:27:35 +0100
OK, might as well run this by everyone.

IV ++ AES/CBC/PKCS7 padding - encrypted block ++ SHA1-HMAC of secret data

if the HMAC doesn't come out same as computed for decrypt we just
abort. What's wrong with the above? (assuming we get our PRNG suitably
random.)

( SUN's example Java code uses DES in ECB mode - go figure. You do
have to type A-E-S in if you're using Java.  )

cheers,
 Jamie

2009/6/3 dave <dave () immunityinc com>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While everyone is concentrating on things like SQL Injection and Cross
Site Scripting, the fun can be described as some great posts today:

http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/
http://news.ycombinator.com/item?id=639976

Although I usually advise people to read Chris Eng's presentation first
- - it makes a good appetiser to the Matasano post.

- -dave
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkomuk4ACgkQtehAhL0gheobKQCeMJH3IgshQfBbSaPAF1NVx+2u
RTsAn1iXwYZ71vfMm7vfoRIhWLQW1mza
=rHpD
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave





-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
http://www.ukhoneynet.org/members/jamie/
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: