Hi all,
Tôi chưa xem qua nội dung phần trình bày của bạn mrro tại BH, nhưng cái tên chủ đề có từ Oracle làm tối "nhầm" tưởng là liên quan đến công nghệ Oracle và vì vậy nên vô tình tôi đọc được bài nhận xét này.
Tôi cũng chưa đọc kĩ phần nhận xét của tác giả, các bạn tự đọc rồi tự kết luận vậy.
Practical padding oracle Attacks
Thai Duong and Juliano Rizzo kicked off the second day at Blackhat Europe 2010.
That was the first surprise of the day. Oracle vs oracle… I should have known there was something wrong with that. I guess I was not the only one who was caught by surprise. After the first slide, I heard a lot of people mumbling "this is another presentation" and things like that. Anyways, the talk was about crypto, and feeding hardcore crypto to my brain at this time of the day is just not good for me.
I got hit by the well-known "massive concrete demolition hammer" while trying to understand the highly technical (and math) presentation about cryptography and how oracle padding can be used to break all sorts of encryption mechanisms. Ok, I have to admit. Even when I’m wide awake, this stuff will kill me as well.
So I’m sorry. There’s not really much I can tell about this presentation. These guys did some awesome research and provided a really detailed presentation, that is, if you could understand what they were saying (and I’m talking about the content here). But don’t expect me to give you details on how things work, because I didn’t get it. (I will look back at the paper and slides later on and see if I can get it after a 2nd, 3rd, 4th etc reading)
Their first demo went terribly wrong (murphy’s law)… twice… , and that gave me the time to try to refocus and to understand what they were saying….
… but I failed miserably in my attempts to catch up again…
So the only thing I can do is admit that I’m not up to that kind of challenges at this time of the time (or just in general) and I’ll just summarize the entire talk in a few lines : Thai and Julianno explained the technical details and theory behind their findings, and applied those findings to a few practical attacks : break captcha code, decrypt JavaServer Faces view states etc. They are releasing a tool called POET (= Padding Oracle Exploitation Tool) and some javascript code to break captcha after BH 2010. (see http://netifera.com/research)
Again, excellent in-depth and well-performed and well-documented research. Just bad timing on my behalf.
So I moved on to the next presentation.
http://www.corelan.be:8800/index.php/2010/04/16/blackhat-europe-2010-barcelona-day-10/)
Regards.
|
![[Rule]](/hvaonline/templates/viet/images/icon_mini_rule.gif "[Rule]"){kind=icon}
![[Home]](/hvaonline/templates/viet/images/icon_mini_groups.gif "[Home]"){kind=icon}
![[Portal]](/hvaonline/templates/viet/images/icon_mini_portal.gif "[Portal]"){kind=icon}
![[Members]](/hvaonline/templates/viet/images/icon_mini_members.gif "[Members]"){kind=icon}
![[Statistics]](/hvaonline/templates/viet/images/icon_mini_stats.gif "[Statistics]"){kind=icon}
![[Search]](/hvaonline/templates/viet/images/icon_mini_search.gif "[Search]"){kind=icon}
![[Reading Room]](/hvaonline/templates/viet/images/icon_mini_book.gif "[Reading Room]"){kind=icon}
![[Register]](/hvaonline/templates/viet/images/icon_mini_register.gif "[Register]"){kind=icon}
Register![[Login]](/hvaonline/templates/viet/images/icon_mini_login.gif "[Login]"){kind=icon}
Login [
