Title :
Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET
Author :
Duong, Thai ; Rizzo, Juliano
Author_Institution :
Vnsecurity/HVAOnline, Ho Chi Minh City, Vietnam
Abstract :
This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse multiple cryptographic design flaws to compromise ASP.NET web applications. We describe practical and highly efficient attacks that allow attackers to steal cryptographic secret keys and forge authentication tokens to access sensitive information. The attacks combine decryption oracles, unauthenticated encryptions, and the reuse of keys for different encryption purposes. Finally, we give some reasons why cryptography is often misused in web technologies, and recommend steps to avoid these mistakes.
Keywords :
Internet; Web sites; cryptography; ASP.NET; Internet web sites; cryptographic design flaws; decryption oracles; forge authentication tokens; security design; sensitive information; steal cryptographic secret keys; unauthenticated encryptions; web application framework; Assembly; Authentication; Cryptography; Internet; Servers; Software; Application Security; Cryptography; Decryption oracle attack; Unauthenticated encryption; Web security;
Conference_Titel :
Security and Privacy (SP), 2011 IEEE Symposium on
Conference_Location :
Berkeley, CA
Print_ISBN :
978-1-4577-0147-4
Electronic_ISBN :
1081-6011
