[Mono-aspnet-list] Mono ASP.NET vulnerable to AES attack?
Marek Habersack
grendel at twistedcode.net
Fri Sep 17 17:14:18 EDT 2010
On Fri, 17 Sep 2010 13:03:21 -0700 (PDT)
jmalcolm <malcolm.justin at gmail.com> wrote:
>
> Does anybody know if Mono is susceptible to the attack described in this
> article?
>
> http://bit.ly/cyloCx
This article is a bit alarmist, to be honest. The attack is generic but the solution is
application-specific, and it affects not only ASP.NET but any and all applications which use block
ciphers with CBC mode.
Well, there's no simple yes/no answer to it. First, this attack is not AES-specific, it can
target any encryption which uses CBC mode. The answer depends on a few factors and we don't have
enough data at this point to determine if we're vulnerable or not. The answer that can be give
currently is that if there's an oracle available, then we _could be_ vulnerable.
Please take a look at this document to understand the way the attack works:
http://netifera.com/research/poet/PaddingOracleBHEU10.pdf
marek
More information about the Mono-aspnet-list
mailing list