Full Disclosure mailing list archives
Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto
From: Erik Auerswald <auerswal () unix-ag uni-kl de>
Date: Wed, 28 Dec 2016 17:05:36 +0100
Hi, On Tue, Dec 27, 2016 at 09:01:49AM -0800, Tim wrote:
[...]But there still are people who use CBC... [...]All traditional modes that lack integrity protection are vulnerable to chosen-ciphertext attacks in these kinds of scenarios. [...] All traditional modes need a MAC or similar integrity protection.
That is correct.
In light of that, there's nothing particularly wrong with using CBC, if it is implemented well. At least, using it is not *more* wrong than using OFB, CFB, or CTR
That is wrong. CBC mode allows attacks such as "Sweet32" (https://sweet32.info/), which is not possible with CTR mode.
without integrity protection.
Correct again, but too simple minded. Any encryption without integrity protection does not provide confidentiality against an active attacker. Using the wrong mode with a block cipher can render authentication irrelevant in attacks on confidentiality.
[...] We should instead be pointing developers in the direction of using something off-the-shelf [...]. Much less room for error.
That is sound advice. In addition, broken ciphers, modes, and protocols still implemented for backwards compatibility should not be used. Thanks, Erik -- [A]pplied cryptography mostly sucks. -- Green's law of applied cryptography _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto RedTeam Pentesting GmbH (Dec 23)
- Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto gremlin (Dec 27)
- Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto Tim (Dec 27)
- Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto Erik Auerswald (Dec 29)
- Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto Tim (Dec 30)
- Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto Tim (Dec 27)
- Re: [RT-SA-2016-001] Padding Oracle in Apache mod_session_crypto gremlin (Dec 27)