Padding Oracle Exploit Tool Vs Apache Myfaces
|
|
|
||||||||||||
Description:
At Eurocrypt 2002, Vaudenay introduced a powerful side-channel attack, which is called Padding Oracle attack, against CBC-mode encryption with PKCS#5 padding. By giving an oracle which on receipt of a ciphertext, decrypting it and then replying to the sender whether the padding is correct or not, he shows that one can efficiently decrypt data without knowing the encryption key. You can read the full paper for more details.
In this video, we will look at a demo of the POET tool which uses the padding oracle attack. In minutes POET completely decrypts the VIewState of a JavaServer Faces application. The server is Apache MyFaces configured to use AES/CBC encryption with a random secret key and IV. POET uses Vaudenay's padding oracle attack to decrypt the web application client-side state byte by byte.
Thanks go out to cryptolamer for referring this video to us!
In this video, we will look at a demo of the POET tool which uses the padding oracle attack. In minutes POET completely decrypts the VIewState of a JavaServer Faces application. The server is Apache MyFaces configured to use AES/CBC encryption with a random secret key and IV. POET uses Vaudenay's padding oracle attack to decrypt the web application client-side state byte by byte.
Thanks go out to cryptolamer for referring this video to us!