[Dailydave] Web Security Is Hard
Jamie Riden
jamie.riden at gmail.com
Wed Jun 3 14:27:35 EDT 2009
OK, might as well run this by everyone.
IV ++ AES/CBC/PKCS7 padding - encrypted block ++ SHA1-HMAC of secret data
if the HMAC doesn't come out same as computed for decrypt we just
abort. What's wrong with the above? (assuming we get our PRNG suitably
random.)
( SUN's example Java code uses DES in ECB mode - go figure. You do
have to type A-E-S in if you're using Java. )
cheers,
Jamie
2009/6/3 dave <dave at immunityinc.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> While everyone is concentrating on things like SQL Injection and Cross
> Site Scripting, the fun can be described as some great posts today:
>
> http://www.matasano.com/log/1749/typing-the-letters-a-e-s-into-your-code-youre-doing-it-wrong/
> http://news.ycombinator.com/item?id=639976
>
> Although I usually advise people to read Chris Eng's presentation first
> - - it makes a good appetiser to the Matasano post.
>
> - -dave
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkomuk4ACgkQtehAhL0gheobKQCeMJH3IgshQfBbSaPAF1NVx+2u
> RTsAn1iXwYZ71vfMm7vfoRIhWLQW1mza
> =rHpD
> -----END PGP SIGNATURE-----
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
--
Jamie Riden / jamesr at europe.com / jamie at honeynet.org.uk
http://www.ukhoneynet.org/members/jamie/
More information about the Dailydave
mailing list