[Esapi-dev] HMAC validation bypass in ESAPI Symetric Encryption

Pierre Cardina pcardina at yahoo.fr
Mon Dec 2 22:10:01 UTC 2013


Hi Kevin,

Do you have a tentative release date for this 2.1.1 
version yet? Is there any mitigation strategy to prevent attacks on the 
cipher text when the HMAC has been bypassed? For example not using CBC 
for the encrypted text (to prevent padding oracle)?

Much appreciated.

P. Cardina
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-dev/attachments/20131202/b5025bef/attachment.html>


More information about the Esapi-dev mailing list