[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161228160536.GA14154@unix-ag.uni-kl.de>
Date: Wed, 28 Dec 2016 17:05:36 +0100
From: Erik Auerswald <auerswal@...x-ag.uni-kl.de>
To: fulldisclosure@...lists.org
Subject: Re: [FD] [RT-SA-2016-001] Padding Oracle in Apache
mod_session_crypto
Hi,
On Tue, Dec 27, 2016 at 09:01:49AM -0800, Tim wrote:
> [...]
> >
> > But there still are people who use CBC...
> > [...]
>
> All traditional modes that lack integrity protection are vulnerable to
> chosen-ciphertext attacks in these kinds of scenarios.
> [...]
> All traditional modes need a MAC or similar integrity protection.
That is correct.
> In light of that, there's
> nothing particularly wrong with using CBC, if it is implemented well.
> At least, using it is not *more* wrong than using OFB, CFB, or CTR
That is wrong. CBC mode allows attacks such as "Sweet32"
(https://sweet32.info/), which is not possible with CTR mode.
> without integrity protection.
Correct again, but too simple minded. Any encryption without integrity
protection does not provide confidentiality against an active attacker.
Using the wrong mode with a block cipher can render authentication
irrelevant in attacks on confidentiality.
> [...]
> We should instead be pointing developers in
> the direction of using something off-the-shelf [...].
> Much less room for error.
That is sound advice. In addition, broken ciphers, modes, and protocols
still implemented for backwards compatibility should not be used.
Thanks,
Erik
--
[A]pplied cryptography mostly sucks.
-- Green's law of applied cryptography
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists