Proceedings of the 18th ACM conference on Computer and communications security
Position paper: why are there so many vulnerabilities in web applications?
Proceedings of the 2011 workshop on New security paradigms workshop
Authenticated-Encryption with padding: a formal security treatment
Cryptography and Security
| Hi-index | 0.00 |
This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse multiple cryptographic design flaws to compromise ASP.NET web applications. We describe practical and highly efficient attacks that allow attackers to steal cryptographic secret keys and forge authentication tokens to access sensitive information. The attacks combine decryption oracles, unauthenticated encryptions, and the reuse of keys for different encryption purposes. Finally, we give some reasons why cryptography is often misused in web technologies, and recommend steps to avoid these mistakes.