OT: Padding Oracle Attacks
nicholas.cole at gmail.com
Mon Sep 20 23:13:04 CEST 2010
On Mon, Sep 20, 2010 at 4:25 PM, Tom Ritter <tom at ritter.vg> wrote:
>> I've come across two interesting descriptions of the attack:
> The GDS blog post is the best visual example of how the Padding Oracle
> can be used to decrypt data that I've seen. Thai and Julian's
> presentation linked, as well as the recent one at Ekoparty, are
> excellent weaponizations.
>> Am I right that this is exactly the sort of attack that the MDC in gpg
>> is designed to prevent?
> I don't know much about the MDC in gpg - I'm curious how it differs
> from a HMAC. If the MDC is checked before decryption is attempted, it
> should thwart the attack, because gpg would fail with an error
> indicating an incorrect MDC, rather than a message indicating the
> padding is incorrect (for the 255 bad padding values) or the MDC is
> incorrect (for the 1 good padding value but bad MDC). This ordering
> is vital, and what leads to the ASP.Net encrypted viewstate being
> vulnerable. There is an HMAC on the viewstate, but the HMAC is
> checked _after_ the viewstate decryption is attempted.
> Colin Percival has a good blog post explaining this concept as well:
The workings of the MDC are set out here:
http://tools.ietf.org/html/rfc4880 (see section 5.13).
It isn't clear to me after reading that whether this kind of attack would
be thwarted by the MDC or not.
More information about the Gnupg-devel