If they can get your system to tell them if a message is valid somehow, perhaps by making thousands of attempts to pass a message and noting where it says 'login failed' or '404' instead of invalid message (for instance) then there are all sorts of things that can be done to recover messages and keys.
I highly recommend Dan Boneh's crypto 101 on coursera for anyone that has the time.
The CBC padding oracle is one such attack. There are a bunch of similar ones. They're "chosen ciphertext" attacks.
Again, even if you get this part right, there are other things that go wrong. TLS is authenticated, and it fell to two adaptive chosen plaintext attacks because of two different implementation details they messed up. And no public cryptosystem in the world has been as thoroughly tested and analyzed as TLS.
For some mind-boggling reason, the designers of the XML Encryption standard decided to make authentication optional, so an attacker can simply avoid sending an incorrect MAC.
Nursie|13 years ago
I highly recommend Dan Boneh's crypto 101 on coursera for anyone that has the time.
tptacek|13 years ago
Again, even if you get this part right, there are other things that go wrong. TLS is authenticated, and it fell to two adaptive chosen plaintext attacks because of two different implementation details they messed up. And no public cryptosystem in the world has been as thoroughly tested and analyzed as TLS.
pjscott|13 years ago
http://blog.cryptographyengineering.com/2011/10/attack-of-we...
For some mind-boggling reason, the designers of the XML Encryption standard decided to make authentication optional, so an attacker can simply avoid sending an incorrect MAC.