Sign in to follow this  

Researchers: XML encryption standard is insecure

Recommended Posts

+M2Ys4U    97
Researchers at the Ruhr University of Bochum (RUB) say they have succeeded in cracking parts of the XML encryption used in web services, thus making it possible to decrypt encrypted data. The official W3C XML encryption specification is designed to be used to protect data transmitted between online servers such as those used by e-commerce and financial institutions.

According to the researchers, IBM, Microsoft and Red Hat Linux use the standard solution in web service applications for a number of large customers. The researchers say that, based on their findings, the standard should now be considered insecure. They plan to publish details about the problem at the upcoming ACM Conference on Computer and Communications Security (ACM CCS 2011) in Chicago.

As part of their attack, two of the researchers, Juraj Somorovsky and Tibor Jager, sent packets containing modified cipher text to a server. They managed to intercept the packet encrypted with AES in the cipher-block chaining (CBC) mode and then change the initialisation vector (IV) used in the CBC mode. One of the outcomes was error messages from the server when it found an admissible character in XML when it decrypted the specially crafted packet. By sending the packet with different IVs, it was then possible to "guess what the actual message was".

The researchers say that there is no short-term solution and strongly recommend that the standard be updated. The attack only works when AES is used for encryption in the CBC mode. XML encryption also supports encryption with an RSA key and X.509 certificates. The CBC is also involved in the vulnerability in the TLS 1.0 standard. There, IVs that are not randomly generated for individual blocks make it vulnerable to a chosen-plaintext attack (CPA), which reconstructs encrypted cookies that have been transmitted.

Source: The H Online

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.