New Crypto Attack Affects Millions of ASP.NET Apps 156
Trailrunner7 writes "A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week, affects millions of Web applications."
Re: (Score:2)
OK, but why are you using Windows if you don't trust Microsoft?
Oh come on... (Score:3, Funny)
Re: (Score:2)
That's why I never bank over the internet, and do as little online buying as possible. If I have to buy online I use a prepaid credit card.
So while this is interesting to me, I'm in no danger.
Re: (Score:1)
I wouldn't say no danger. I don't understand why people think that not using their info online means nobody can access their info online. If your data is stored anywhere, there's a good chance some sequence of events could leak it.
That said, you've probably reduced your vulnerable surface area, but don't get too confident; incompetence comes in all forms, many of which are probably handling your (and my) data.
Not so bad after all... (Score:5, Informative)
>If the padding is invalid, the error message that the sender gets will give him some information about the way that the site's decryption process works.
This is one reason you should send user friendly error messages to your consumers instead of stack traces, stack traces can contain details that an attacker could use against you. It sounds like you're safe if you're following best practices already.
Re: (Score:2)
Exactly. If the web devs are incompetent enough to let an end user see a stack trace error message, you've got much bigger problems than this hack. Professionally, it's about the equivalent of setting your root password on a machine to 'password'.
Re: (Score:2, Redundant)
> Professionally, it's about the equivalent of setting your root password on a machine to 'password'.
That certainly never happens.
Re: (Score:2)
If the attacker requires the stack trace, I feel better about this already. Is that a requirement of this exploit?
While I do see unhandled exceptions kicking stack traces to remote clients far too often, at least I know I've always covered that.
Re:Not so bad after all... (Score:4, Informative)
Re: (Score:2)
Not so, you are forgetting side channel attacks, in particular side channel attacks based on computation time.
I.e. different exceptions thrown at different locations will take a specific amount of time, which can be leaked and used by performing statistical analysis.
Sounds far fetched, but it works beautifully in practice. Of course, it is still way better than throwing stack traces around.
Oh, and make sure the user gets an easy to understand message and that the server *logs* the exception.
Re: (Score:2)
Not so, you are forgetting side channel attacks, in particular side channel attacks based on computation time.
Yeah, but those are a *hell* of a lot harder, and are subject to noise from network jitter, server load, and other variables. The odds of being able to deduce the crypto keys in a reasonable amount of time drop substantially in that case, as you need a lot more requests to smooth out that variability.
Re: (Score:2)
It's hell of a lot harder, but once the statistical analysis is in place and the right conclusions can be retrieved from them (setup a server and perform tests locally) the computer will do the job. But yes, it will take an awful amount of requests, for practicality a bot net will probably be needed.
Re: (Score:1, Insightful)
There is no reason for an application to do that. ASP.NET already does that by default. If an exception occurs the user is presented with a friendly error message that basically says, "something went wrong, try again later." The full error message is written into the logs on the server and can be reviewed by an admin. Said admin can also browse to the site via localhost to get the full error message as it occurs, something remote users will not see.
This "exploit" relies on the "bank" deploying the site
Re: (Score:1, Insightful)
Just to expand a litle:
"See if there is any error message. Even a blank page is enough information."
Makes me think that this may be an issue after all
That's some dumb stuff to be storing in cookies... (Score:2, Insightful)
Re: (Score:1)
> This is one reason you should send user friendly error messages to your consumers instead of stack traces...
Right, and isn't the default CustomerErrors setting in ASP.NET set to RemoteOnly? Meaning that that the exception & stack trace are only sent when you are browsing from localhost? If you were dumb enough to send full errors from a production system, then you deserve to have your application exploited by this.
Re: (Score:3, Informative)
You are correct. (I think the property's called CustomErrors, but otherwise you're dead on.)
You'd have to manually decide you wanted your end users to see unfriendly error messages for the exploit as described to work. In other words, being negligent isn't sufficient for this to work -- you need to do something actively stupid.
I believe the same is true for the JSF exploit this is based on, but it's been a year or two since I've touched JSF at this point.
Re:when it comes to anything important: (Score:5, Insightful)
roll your own at the lowest possible layer. anything else and you're leaving your chin open.
I don't know about that. I'm not out to write my own implementation of OpenSSL anytime soon. Some tasks are simply best left to field experts.
Re: (Score:1, Insightful)
I originally modded you funny, but I'd like to retract and mod you "scary".
Now you could implement HMAC using other OpenSSL primitives, and that would be less than the highest possible level. But you WOULDN'T DO THAT!
When it comes to crypto, use the highest possible layer. I've never used ASP, and i'm rather glad, but before now I would have guessed it exposed encryption libraries to allow you to send a session cookie over HTTPS/HTTP only.
Re: (Score:1)
Re: (Score:1)
post your address... or are you afraid of the repercussions of your actions?
action without responsibility is not action.
you're an idiot.
Re: (Score:1)
i OWN you.
Re: (Score:2)
Re: (Score:2)
You're right. It isn't hard.
It's fucking impossible.
Re: (Score:2)
Micheal, has it occurred to you that people mod you down because you're a fucking asshole, who can't post a single thing without calling the other person an idiot?
Go fuck yourself.
(And more importantly, building something that cannot be compromised is impossible. There is always someway, it just may not have been thought of yet).
Re:when it comes to anything important: (Score:4, Insightful)
If you know enough about cryptography to make a good implementation, then your job does not involve writing web applications.
Very true, but there's no point in feeding trolls, they never get full.
Re: (Score:2)
Wait, that's not how the saying goes...
Re: (Score:2)
Re: (Score:2, Interesting)
Default ASP.NET credentials are basically a signed username with an expiration date. So if an attacker can figure out your encryption, they should be able to change their identity. So user "Joe Bob" should be able to become user "Super Admin" by decrypting his cookie, editing his user id, and re-encrypting it.
Re: (Score:2)
So... (Score:2)
Re: (Score:2)
Will more of the script kiddie hacking packages have "hardcore" venomous snake related names and graphics(ASCII for the l33t) or "hilarious" anal violation pun derived ones?
Neither. ASP is short for aspie. The hacking packages will have very descriptive names with poor user interfaces. Also, I don't understand what's so funny about violations of "am/are not a lawyer". Pretending to give real legal advice can get you in hot water. In some countries, you could get sent to prison and get "am/are not a lawyer"-ly violated.
100% reliable? (Score:5, Insightful)
TFA has a bizarre idea of a "100% reliable" attack:
"It's worth noting that the attack is 100% reliable, i.e. one can be sure that once they run the attack, they can exploit the target. It's just a matter of time."
By that logic, this attack is 100% reliable against (web platform of your choice) too.
Beyond that, this attack requires fairly verbose error messages be sent back to the user of a web application. While I'm sure there do exist some ASP sites where this is the case, I don't think it has been in any of the non-intranet sites I've seen in my career.
It just is not standard in any exposed web site, especially the kind of web site where you would care about customer information getting out, to allow useful error messages reach the end user. It is by far the standard to catch the exceptions, log them on the server, and show the end user a generic error message which would not be helpful in the case of this exploit.
Re: (Score:3, Interesting)
100% seemed wrong to me - there seems like a lot of ways to secure against the attack based on the article, but that article seems unreliable in the details as you point out. This attack does seem to require some kind of non-generic output from the ASP server side:
The attack that Rizzo and Duong have implemented against ASP.NET apps requires that the crypto implementation on the Web site have an oracle that, when sent ciphertext, will not only decrypt the text but give the sender a message about whether the padding in the ciphertext is valid.
But what's really not clear is their reference to "side channels" where this information might also be obtained. Perhaps they can gain some understand of the errors from the time it takes the process to return to the query or other metrics?
In term
Follow the links (Score:3, Informative)
The first part of the presentation introduces the audience to Padding Oracle Attacks, the cryptographic concepts of the vulnerability, and finally how to exploit it. We also describe the algorithms implemented in POET (Padding Oracle Exploit Tool). POET is the free tool that we released a few months ago which can automatically find and exploit Padding Oracle vulnerabilities in web applications. The second part presents a previously unknown advanced attack. The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API! Finally we demonstrate the attacks against real world applications. We use the Padding Oracle attack to decrypt data and use CBC-R to encrypt our modifications. Then we abuse components present in every ASP.NET installation to forge authentication tickets and access applications with administration rights. The vulnerabilities exploited affect the framework used by 25% of the Internet websites.The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise.
http://ekoparty.org/juliano-rizzo-2010.php [ekoparty.org]
Re: (Score:3, Interesting)
Thanks. It also got me thinking that if all this transactional stuff affected by POA is secured in an SSL channel, then it would be hard to get at it to begin with? This attack seems predicated on getting a hold of other's encrypted cookies/password in order to be powerful? This is just a sophisticated man-in-the-middle attack with capability to unwind *one* encryption channel? If SSL is in operation, then this doesn't help?
They claim it would work against many bank sites, but it seems like all bank sites u
Re:100% reliable? (Score:4, Informative)
Basically, what I'm saying (that I don't think I expressed very clearly in my post that you replied to) is that what they're saying in the article is: If you find an ASP.NET web site (or a JSF one, for that matter) that gives back enough detail in its error messages to malformed/misized crypto packets, you can figure out what the size really should be and make it work from there, and then it'll work every time. It's like saying "A third of the time, it works every time!" Well, that's not 100%.
To put it another way, entering 'admin' and 'admin' will give you full access to 100% of machines that have a user called admin with admin privs that also set their password as admin. Or, the Blaster Worm still owns 100% of Windows 98 machines that haven't been patched in a decade. While technically true it's a useless statistic.
I have not personally encountered a site that would be useful to crack (ASP or JSF) that provides the end user with the kind of error messages they're talking about. There's no reason you couldn't, but you just never would.
More details on the "side channels" would've been nice, since the primary vector they talk about is, in practical terms, useless.
Re: (Score:2)
Read the article. It clearly says the same "vulnerability" exists in Java Server Faces.
Except it's a joke of a vulnerability in both cases.
Re: (Score:2)
Re: (Score:1)
It's 100% reliable for sites in a vulnerable configuration (ie. the sites the attack targets).
They presumably mean this to distinguish from attacks which require some level of luck or coincidence (eg. triggering a race condition) to exploit.
Or for attacks which require a certain state to be achieved but which there's no useful upper bound on when that state might be achieved due to the actions of the attack, eg. a purely passive attack.
So in short, they're saying that the attack is able to drive it's own pr
Meh... (Score:2, Insightful)
"The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application's crypto API."
Anyone storing these things in a cookie, regardless of encryption, needs to step away from the keyboard and stop developing web applications.
This is a non-issue as long as you realize that what is encrypted
Re: (Score:1)
Bullshit. By this "Logic" you can never send or receive..well, anything over a computer network.
If I encrypt data using a session key that only I have, my assumption is only I see that data. If the encryption provider is broken, it's the encryption that's broken, not my code.
Your closing bit of wisdom that what is encrypted can be decrypted is equally facile. By this logic, we shouldn't be sending anything over the internet because SSL can be decrypted, PGP can be decrypted, etc...
1. Point out that "wha
Re: (Score:2)
"This is a non-issue as long as you realize that what is encrypted can be decrypted"...
That statement is not true in any pragmatical sense. I can create random secret AES key, encrypt a piece of plain text with it and send it to you. Then throw away the key. Call me back when you've decrypted it. You can specify any size, but anything over 10 MB will be a bugger to upload.
Of course, the cookie should mostly be used to keep session state, not bank details, I'm with you there.
ASP.NET problem? Ha! More like Web App Problem (Score:1)
Re: (Score:1)
Re: (Score:2)
On the one hand you are absolutely right. On the other hand, they make it an encrypted cookie for nothing. If you encrypt something the overall idea with developers will be that it is a safe place to store data.
So it comes down to 3 culprits:
- no (H)MAC used to protect the data (always a bad thing, as one of the first posters correctly pointed out): BAD PROTOCOL
- too much information leaked by default ASP.NET implementation
- bad decision to put sensitive data in a cookie by the appli
Re: (Score:2)
- too much information leaked by default ASP.NET implementation
Incidentally, it's not -- the default behavior is to not provide the information in question, except to a user on the server. That is, a developer running both the web browser and the web server on one machine (a common development situation) would get the information about the mangled ciphertexts, but any remote user would not.
It's possible to configure error messages such that every user would get the detailed error messages the exploit needs
peopleeeeeee helllooooooo? (Score:1)
1) HTTP over SSL - sniff and BREAK that.
2) Important information in the cookies? That person should not be called programmer.
So maybe, MAYBE.. you could apply this to i-want-to-make-this-conference-very-popular-selling-some-smoke-yay.com.ar - thats it.
Whats the big deal here? Good research, sure.. too much SMOKE to publicity some mid-lame conference (Mid basically, there is some very intelligent people at it, wonder why...)
Re: (Score:3, Funny)
> That person should not be called programmer.
The title is usually "Web developer", is it not?
Oracles are not new (Score:2, Interesting)
Basically, the problem here is that ASP.NET leaks information about incorrectly decrypted data. If the attacker can get information about the failed decryption, then that's called an oracle. The secure way to handle any sort of decryption error is simply to say "decryption error", regardless of whether it's a padding error, a MAC (message authentication code) error, invalid plaintext, or whatever. You should never give the user the invalid decrypted data or any information about it.
Some SSL/TLS implement
Re: (Score:1)
If you're encrypting then HMACing, then telling them whether HMAC passed or not shouldn't matter much (under normal assumptions), since they can't get it to pass except under very rare conditions (P(2^-n) for n bits of HMAC). But yeah, ideally, you want to leak as little info as possible to the end user.
I personally also find CBC and padding a little obnoxious and artificial, and used CFB in certain applications of my own that I wrote as learning exercises before such things were widely available - see
Re: (Score:1)
>You should never give the user the invalid decrypted data or any information about it ...contact your admin etc...as most programmers use codes, but do not need to offer a whole stack trace anymore.
Exactly, you would just send out a properly formatted error message stating a code (implicit to your company) and the rest very simple
More info: (Score:1)
Another way is to look for known source code keywords. You can start by looking for code that imports low level cryptography libraries such as:
.NET: .NET Cryptography, Microsoft CryptoAPI
C/C++: OpenSSL, Crypto++
Python: PyCrypto, M2Crypto
Java: Java Crypto Extension, BouncyCastle
Then look for routines that perform encryption and decryption. If there’s some code to handle error while decrypting, and/or no sign of MAC usage, then it’s high probability you have found a target for the Padding Oracle attack. Regardless of which method one uses, the most important thing is to analyse and understand the meaning of error messages returned by the target upon receiving mangled ciphertexts. In short, you need to know when the padding is VALID, and when it’s INVALID.
a description of the attack in plain english (Score:1)
MAC = Message Authentication Code, prevents a client from forging a valid value. You can think of it like a digital signature, except that it’s much faster and the same key creates and verifies the data - which is perfect when your web app generates, sends the value to the client, receives the value from the client, and wants to v
Re: (Score:1)
Re: (Score:1)
Re:Who knew! (Score:4, Insightful)
This is /. aren't you supposed to say "What a surprise, .NET has flaws!" ?
No, no, no ... you're supposed to say "this doesn't affect Linux". But does it affect Mono?
Re:Who knew! (Score:5, Interesting)
What a surprise, encryption has flaws!
RTFA. It's not about flaws in encryption. It's about "ASP.NET's implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified"
So it's the ASP.NET AES implementation that has flaws. The problem seems to be that the errors reveal enough information about how to decrypt the data.
Re: (Score:3, Insightful)
Actually the implementation and use of AES in the ASP.NET framework is fine.
Websites that aren't trapping internal exceptions are bugged.
The problem here is the developer using the code who isn't catching the exception, and worse still allows it to pass through directly to an untrusted 3rd party (the user).
Its not an ASP.NET bug if you proceed to print the password on the screen when users attempt to login, this really isn't any different. The dev using the ASP.NET framework is using it wrong.
Re: (Score:1)
Right because C# stupidly does not support checked exceptions like Java.
Re: (Score:2)
Has nothing to do with checked exceptions, and everything to do with turning on development-mode error messages on production websites...
Re: (Score:1)
I'm all for .NET, I love how I can create a web service quickly, and I've been impressed to see how it has been quietly building up to a solid base, and there are folks building good apps around it like Roy Osherove's TypeMock, even though Rails gets all the fanfare. but fall
Re:Who knew! (Score:4, Informative)
What a surprise, encryption has flaws!
Nope, the cryptography is still flawless. ASP.NET just failed to use it correctly. AES-CBC would be perfectly secure if they used MAC to authenticate the data. MACs have been a critical part of crypto protocol design since the "DES ages" and padding oracle attacks have been known since 2002.
Just like RC4 is still secure if used properly, but WEP is broken due to protocol flaws (the problems with RC4 were known before WEP was designed).
So kids, make sure you always use MAC with your ciphers.
Re: (Score:1, Informative)
ASP.NET uses a hashed message authentication code by default. So not sure what point you are trying to make by talking about them as a solution.
Source: see 'protection' at http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx [microsoft.com]
Re: (Score:1)
Re: (Score:2, Insightful)
I'm going to be a crypto pedant here for a moment. Don't use the words "perfectly secure" to refer to any cryptographic scheme other than a true one-time pad. The phrase "perfect security" has a *very* specific meaning in cryptology, defined by C. E. Shannon, and the only thing that meets the definition is a true one-time pad (a symmetric key that is perfectly random - the odds of any particular bit in the string being 1 are exactly 50% - and longer than the message it encrypts and is only used for that one
Re: (Score:1)
Even one time pads are susceptible to brute force attacks.
The only way you can make the assertion that they are not is to assume the original message was simply random characters, with no obvious language.
If the original was normal human readable text it becomes immediately obvious when your brute force succeeds and a subsequent dictionary comparison of each word yields a hit.
Re: (Score:2)
Which human readable text? The point of trying to brute force a one-time pad encoded message (without having access to the pad itself) is that any message of the same length is just as possible. How do you determine the actual message from all of the other possible messages of the same length?
Re:Who knew! (Score:5, Insightful)
Respectfully, are you sure you understand how a one-time pad works?
Attempting to brute force a one-time pad is as likely to produce a third option:
3) The account numbers to the secret Swiss Bank account are 3435464482 and 363578345. Please do not access the accounts more than once a month.
as your #1. In other words, the same message with totally different account numbers. Or any other message of the same length.
Re: (Score:2)
Would any message of the same length make sense?
Re: (Score:1)
Re:Who knew! (Score:4, Informative)
Any, no. But certainly there are many, many messages of the same length that would make sense.
To put it another way, let's say a /. sig is 120 characters (I don't know the exact number offhand) and that a million /. users have sigs, all of which are different and make some kind of sense. If I encrypt one with a one-time pad, there's no way for you, using brute force, to figure out which user's sig it is -- each of those million possibilities (and many, many more) would appear equally possible to your best discernment.
You're saying that as long as you come up with a message that looks like words and forms a sentence that's the right length, you've successfully brute forced the pad. That's not remotely the case.
Re: (Score:2)
*Boggle*
Really?
Let's try an experiment since you seem too thick to understand this. Here is my encrypted message:
zxc
I'll give you a hint that the clear text is an English word, and the one-time pad used to encrypt it used only letters (so we're talking modulo 26 addition here). This means that there are 17,576 one time pads I could have used.
You're right that the vast majority of those one-time pads can be eliminated, because they give garbage decrypted text. Among these would be:
abc, ujc, asd, qwe
Applyi
Re: (Score:2)
OK. You don't get it. Let me try and explain it a little bit better - admittedly, the other explanations are a bit lacking.
A one time pad is an encryption key of the same length as the original message. For a 15 character message, I need a 15 character pad. But I can construct a pad to give me *every single message of length 15*. So I have no way of figuring out which one it is, because I can make it say *anything*, as long as the length is right.
So I could try and brute-force a message of length 10, but I'
Re: (Score:2, Insightful)
Brute forcing a one time pad makes "The account numbers to the secret Swiss Bank account are 3432376482 and 367282345. Please do not access the accounts more than once a month." just as likely as "The account numbers to the secret Swiss Bank account are 123456789 and 987654321. Please do not access the accounts more than once a month." and you have no way of telling which one was the original message.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
With an OTP you will also find a key that says:
I can't meet today
Re: (Score:1, Insightful)
I don't think you know how a one time pad works - trying to brute force a one time pad will yield both "The account numbers to the secret swiss bank account are 12345 and 67890" and "The killer is staying in the Slashdot hotel, room number 1235", along with literally every permutation of letters and numbers (or whatever you're encrypting) that can be possibly produced. The only attacks against OTP are side attacks, against things such as your random number generator and transmission of the key.
Re: (Score:1)
I know exactly how a one time pad works. EXACTLY. Stop asking the question.
Brute force attacks yield mountains of garbage, and a few nuggets of highly probable deciphers, of which usually only one makes language and contextual sense.
Re: (Score:3, Informative)
I know exactly how a one time pad works.
No you don't, if your posts on the subject are anything to go by.
Re: (Score:2)
No, it yields every possible message of that length (including shorter messages padded out with spaces or zeros). You may be thinking about polyalphabetic cyphers where the key is shorter than the message. In a one time pad, the key is as long or longer than the message. It even yields LONGER messages in LZW compressed form.
There is no way to choose between "attack at dawn" and "attack at noon" or even "don't attack!!" for example. They are all equally probable.
Re: (Score:2)
How about if I hand you a third message reading "The account numbers to the secret Swiss Bank account are 7846268231 and 532783502. Please do not access the accounts more than once a month.". It's just as likely with yet another brute forced key. So is "The deal is off. I don't know what I was thinking" with some null padding at the end. So is "Hello, would be code breaker, don't you wish I would re-use my OTP?".
Now which one will the 5th grader choose?
Re: (Score:2)
If I handed you two messages:
1) The account numbers to the secret Swiss Bank account are 3432376482 and 367282345. Please do not access the accounts more than once a month.
--and 2) aljkhwerh;lkjerja;ke ;werj ;kljr;qijaof; ;ileurie;oir;iw;; ;lekjeri ;wkrie9jg; ;'keroje;kj ;wljejrei ioj;akjie;titj ww';ler;lj e;kerjw
Which one of those would your 5th grader choose?
The problem was you would be handing that 5th grader every single possible message. Look at it this way. Let's say you KNOW that the message says "Your PIN number is XXXX" with XXXX replaced by the actual PIN number. In most crypto systems you could brute-force the key used to encrypt the data by trying each one and testing the results against this string to see if it matches the correct format. If you go through every possible key, then one of the resulting strings contains the correct PIN number.
In
Re: (Score:3, Insightful)
if the original was normal human readable text it becomes immediately obvious when your brute force succeeds
You will get any possible message of the same length, including several normal human readable ones. Barring having other information, there isn't any way to determine which one is the actual message. For example, if you have a 28 character message, attempting to brute force the OTP it will give you both of the results below, both equally plausible, along with many others which are equally plausible.
meeting canceled, stay home.
meeting at 10:00, room 1103.
Re:Who knew! (Score:5, Insightful)
Even one time pads are susceptible to brute force attacks.
Nope, absolutely incorrect. That's what makes one-time pads different. When the key length is the same as the plaintext length, it is possible have perfect security. Look up unicity distance.
If the original was normal human readable text it becomes immediately obvious when your brute force succeeds and a subsequent dictionary comparison of each word yields a hit.
But your brute force attack will yield every single possible plaintext (with the same length as the original plaintext). Which is the real one?
For example, if the ciphertext is BWIJAA, your brute force attack will get ATTACK for one key, and GOHOME for another. (And every other 6 character string.)
Re: (Score:2)
This presumes you can get the proper plaintext determined that way.
With a one-time pad, you're talking about something where you can conceivably get "intelligible" content and it could be the message with chaff around it- or it could be a false positive. Unless you know the plaintext from before it was encoded (along with any chaff measures you might have applied to the selfsame...)- you can't be sure you've got the message.
Huh? (Score:2)
You do realize that there's no exploitable pattern in a proper OTP, yes?
This means that for a sufficiently long OTP encrypted text, both your comment and my comment look like "valid" decryptions. As are bomb making instructions, the menu for Obama's dinner last night, whatever your password to /. is, and the combination to your bank's vault.
Re: (Score:2)
How can such a low ID say such nonsense. You sir are a shame to our kind.
Re: (Score:2)
Even one time pads are susceptible to brute force attacks.
The only way you can make the assertion that they are not is to assume the original message was simply random characters, with no obvious language.
If the original was normal human readable text it becomes immediately obvious when your brute force succeeds and a subsequent dictionary comparison of each word yields a hit.
Actually you can substitute random bytes for the message and your brute force will be equally successful. How does that help you tell what the message actually said?
Re: (Score:2)
It's true that they're susceptible to brute force attacks. However, the inability to know when you have the correct cipher makes it pointless. Yes, you can brute force the key, but because you don't know if it's the actual key or not, you have no way to know if you've succeeded. Simply being readable text doesn't mean anything because there are millions of other readable text pads that can come out of it.
My guess is that you don't really understand how the one-time pad works.
Re: (Score:1)
Any possible message is far from any reasonable message. A random sting of characters is not the sort of thing people encrypt.
Try to put this in real world terms here, and stop being such a pendant.
Re: (Score:2, Insightful)
Re: (Score:2)
Often it's repeated that programmers should not implement their own crypto libraries. I've been considering writing and public-domaining a cyrpto library front-end (an API library) that itself takes back-end plug-ins to implement stream/block cipher (or stream cipher AES ... basically a PRNG with a fixed IV having its output AES encrypted, and using the stream as a keystream i.e. XOR vs plaintext to make one-time-pad). Yes, there's crypto libraries now; but mine would explicitly have code and documentatio
Re: (Score:2)
So kids, make sure you always use MAC with your ciphers.
Yes, I've always been a big proponent of MAC and c.
Re: (Score:1)
Re: (Score:2)
save the time and other expenses of a database or key-value store lookup of a session id on every request.
So you save time on a cache/DB lookup by doing crypto processing instead ... after which your web application will begin processing the user's request... in most cases querying the database, updating user history, etc.
This seems to me like missing the forest for the trees.
Doing a hash lookup on your cached session is near constant time [google.com], avoids security holes introduced by sensitive data client-side, and avoids stacking session data on top of *every request* to the webserver.
That's not even tackling the more