OT: Padding Oracle Attacks

Nicholas Cole nicholas.cole at gmail.com
Sun Sep 19 10:18:54 CEST 2010


There has been quite a lot on the net lately about Padding Oracle
Attacks, said to affect many secure web applications.

http://www.theregister.co.uk/2010/09/14/web_apps_crypto_flaw

I was interested to see that the new Diaspora Social Networking
software, which uses gpg internally (though presumably not for all
things) is also said to suffer from this sort of flaw.

I've come across two interesting descriptions of the attack:

http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf

Am I right that this is exactly the sort of attack that the MDC in gpg
is designed to prevent?

Best wishes,

Nicholas



More information about the Gnupg-devel mailing list