ABSTRACT
XML Encryption was standardized by W3C in 2002, and is implemented in XML frameworks of major commercial and open-source organizations like Apache, redhat, IBM, and Microsoft. It is employed in a large number of major web-based applications, ranging from business communications, e-commerce, and financial services over healthcare applications to governmental and military infrastructures. In this work we describe a practical attack on XML Encryption, which allows to decrypt a ciphertext by sending related ciphertexts to a Web Service and evaluating the server response. We show that an adversary can decrypt a ciphertext by performing only 14 requests per plaintext byte on average. This poses a serious and truly practical security threat on all currently used implementations of XML Encryption.
In a sense the attack can be seen as a generalization of padding oracle attacks (Vaudenay, Eurocrypt 2002). It exploits a subtle correlation between the block cipher mode of operation, the character encoding of encrypted text, and the response behaviour of a Web Service if an XML message cannot be parsed correctly.
- Black, J., and Urtubia, H. Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption. In USENIX Security Symposium (2002), D. Boneh, Ed., USENIX, pp. 327--338. Google ScholarDigital Library
- Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., and Yergeau, F. Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C Recommendation (2008).Google Scholar
- Degabriele, J. P., and Paterson, K. G. Attacking the IPsec standards in encryption-only configurations. In IEEE Symposium on Security and Privacy (2007), IEEE Computer Society, pp. 335--349. Google ScholarDigital Library
- Degabriele, J. P., and Paterson, K. G. On the (in)security of IPsec in MAC-then-encrypt configurations. In ACM Conference on Computer and Communications Security (2010), E. Al-Shaer, A. D. Keromytis, and V. Shmatikov, Eds., ACM, pp. 493--504. Google ScholarDigital Library
- Duong, T., and Rizzo, J. Cryptography in the web: The case of cryptographic design flaws in ASP.NET. In IEEE Symposium on Security and Privacy (2011). Google ScholarDigital Library
- Eastlake, D., Reagle, J., Imamura, T., Dillaway, B., and Simon, E. XML Encryption Syntax and Processing. W3C Recommendation (2002).Google Scholar
- Eastlake, D., Reagle, J., Solo, D., Hirsch, F., and Roessler, T. XML Signature Syntax and Processing (Second Edition). W3C Recommendation (2008).Google Scholar
- Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.-J., and Nielsen, H. F. SOAP Version 1.2 Part 1: Messaging Framework. W3C Recommendation (2003).Google Scholar
- JBoss Community. JBoss WS (Web Services Framework for JBoss AS).Google Scholar
- McIntosh, M., and Austel, P. XML signature element wrapping attacks and countermeasures. In SWS '05: Proceedings of the 2005 workshop on Secure web services (New York, NY, USA, 2005), ACM Press, pp. 20--27. Google ScholarDigital Library
- Mitchell, C. J. Error oracle attacks on cbc mode: Is there a future for cbc mode encryption? In ISC (2005), pp. 244--258. Google ScholarDigital Library
- Nadalin, A., Kaler, C., Monzillo, R., and Hallam-Baker, P. Web Services Security: SOAP Message Security 1.1 (WS-Security 2004). OASIS Standard (2006).Google Scholar
- Paterson, K. G., and Watson, G. J. Immunising CBC mode against padding oracle attacks: A formal security treatment. In SCN (2008), R. Ostrovsky, R. D. Prisco, and I. Visconti, Eds., vol. 5229 of Lecture Notes in Computer Science, Springer, pp. 340--357. Google ScholarDigital Library
- Paterson, K. G., and Yau, A. Padding oracle attacks on the ISO CBC mode encryption standard. In Topics in Cryptology -- CT-RSA 2004 (Feb. 2004), T. Okamoto, Ed., vol. 2964 of Lecture Notes in Computer Science, Springer, pp. 305--323.Google Scholar
- Rizzo, J., and Duong, T. Practical padding oracle attacks. In Proceedings of the 4th USENIX conference on Offensive technologies (Berkeley, CA, USA, 2010), WOOT'10, USENIX Association, pp. 1--8. Google ScholarDigital Library
- Robert A. van Engelen. The gSOAP Toolkit for SOAP Web Services and XML-Based Applications.Google Scholar
- Thai, T., and Lam, H. .NET Framework Essentials. 2001. Google ScholarDigital Library
- The Apache Software Foundation. Apache Axis2.Google Scholar
- Vaudenay, S. Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS ... In Advances in Cryptology -- EUROCRYPT 2002 (Apr. / May 2002), L. R. Knudsen, Ed., vol. 2332 of Lecture Notes in Computer Science, Springer, pp. 534--546. Google ScholarDigital Library
- Yau, A. K. L., Paterson, K. G., and Mitchell, C. J. Padding oracle attacks on CBC-mode encryption with secret and random IVs. In Fast Software Encryption -- FSE 2005 (Feb. 2005), H. Gilbert and H. Handschuh, Eds., vol. 3557 of Lecture Notes in Computer Science, Springer, pp. 299--319. Google ScholarDigital Library
Index Terms
- How to break XML encryption
Recommendations
Technical Analysis of Countermeasures against Attack on XML Encryption -- or -- Just Another Motivation for Authenticated Encryption
SERVICES '12: Proceedings of the 2012 IEEE Eighth World Congress on ServicesAt CCS'11 a new chosen-ciphertext attack on XML Encryption has been presented. This attack is of high relevance, since it allows one to decrypt arbitrary encrypted XML payload by issuing 14 server requests per byte on average. In this paper we discuss ...
A Simple Research of XML Document Secure Encryption
MINES '13: Proceedings of the 2013 Fifth International Conference on Multimedia Information Networking and SecurityAs XML has become the format standards of the data transfer and exchange, it is very import to ensure the security of this type of file in the process of transmission and exchange. This paper will firstly introduce the technology of XML encryption and ...
How to break XML encryption – automatically
WOOT'15: Proceedings of the 9th USENIX Conference on Offensive TechnologiesIn the recent years, XML Encryption became a target of several new attacks [18, 17, 16]. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without ...
Comments