Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET

Author

Duong, Thai ; Rizzo, Juliano

Author_Institution

Vnsecurity/HVAOnline, Ho Chi Minh City, Vietnam

fYear

2011

fDate

22-25 May 2011

Firstpage

481

Lastpage

489

Abstract

This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse multiple cryptographic design flaws to compromise ASP.NET web applications. We describe practical and highly efficient attacks that allow attackers to steal cryptographic secret keys and forge authentication tokens to access sensitive information. The attacks combine decryption oracles, unauthenticated encryptions, and the reuse of keys for different encryption purposes. Finally, we give some reasons why cryptography is often misused in web technologies, and recommend steps to avoid these mistakes.

Keywords

Internet; Web sites; cryptography; ASP.NET; Internet web sites; cryptographic design flaws; decryption oracles; forge authentication tokens; security design; sensitive information; steal cryptographic secret keys; unauthenticated encryptions; web application framework; Assembly; Authentication; Cryptography; Internet; Servers; Software; Application Security; Cryptography; Decryption oracle attack; Unauthenticated encryption; Web security;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy (SP), 2011 IEEE Symposium on

Conference_Location

Berkeley, CA

ISSN

1081-6011

Print_ISBN

978-1-4577-0147-4

Electronic_ISBN

1081-6011

Type

conf

DOI

10.1109/SP.2011.42

Filename

5958047