Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto

[Erik Auerswald <auerswal () unix-ag uni-kl de>]

Hi,

On Tue, Dec 27, 2016 at 09:01:49AM -0800, Tim wrote:
> [...]
> > But there still are people who use CBC...
> > [...]
>
> All traditional modes that lack integrity protection are vulnerable to
> chosen-ciphertext attacks in these kinds of scenarios.
> [...]
> All traditional modes need a MAC or similar integrity protection.

That is correct.

> In light of that, there's
> nothing particularly wrong with using CBC, if it is implemented well.
> At least, using it is not *more* wrong than using OFB, CFB, or CTR

That is wrong. CBC mode allows attacks such as "Sweet32"
(https://sweet32.info/), which is not possible with CTR mode.

> without integrity protection.

Correct again, but too simple minded. Any encryption without integrity
protection does not provide confidentiality against an active attacker.
Using the wrong mode with a block cipher can render authentication
irrelevant in attacks on confidentiality.

> [...]
> We should instead be pointing developers in
> the direction of using something off-the-shelf [...].
> Much less room for error.

That is sound advice. In addition, broken ciphers, modes, and protocols
still implemented for backwards compatibility should not be used.

Thanks,
Erik
-- 
[A]pplied cryptography mostly sucks.
                        -- Green's law of applied cryptography

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/