We have a Web app we developed in house that uses XML encryption. Given the recent proof-of-concept attack developed
for XML, should we be concerned? What can we do to protect our data against XML attacks until a new standard is developed?
Ask the Expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
The presentation by researchers Jager and Somorovsky concerning the proof-of-concept attack for XML encryption showed it’s possible to decrypt XML-encrypted data without knowing the encryption key. Jager and Somorovsky’s research is a generalization of Padding Oracle attacks from Vaudenay in 2002. Enterprises should be relatively unconcerned about this development, but as the BEAST attacks demonstrated, theoretical or proof-of-concept exploits should be taken seriously by software vendors. As soon as fixes are released, software vendors using XML encryption should start fixing their software and in-house developers should be prepared to update their code.
Enterprises could temporarily protect XML-encrypted data by implementing rate-limiting for XML encryption connections, ensuring security tools detect the attacks, applying general access control for XML encryptions connections, and potentially instigating an XML firewall. Rate-limiting connections for XML encryption does not stop an attack, but it slows the attack because a large number of connections are required to obtain the necessary encrypted data to analyze and decrypt. By slowing the attack, an organization has a better chance of detecting an attack in progress. The organization should check if its network and host-based security tools identify the XML encryption requests to determine if the error messages generated from the attack are detected. General access control for XML connections limits the sources of an attack by restricting connections to only approved network sources. There are also XML firewalls that include some of this functionality that could be used to block an attack.
Dig deeper on Web Services Security and SOA Security
Related Q&A from Nick Lewis, Enterprise Threats
Researchers reportedly succeeded in extracting decryption keys using sound-based attacks. Is this a threat enterprises should worry about?continue reading
The amount of malware using peer-to-peer communications has increased dramatically. Enterprise threats expert Nick Lewis explains how to detect P2P ...continue reading
Cloaked malware, like DGA.Changer, can reportedly evade sandbox detection. Nick Lewis explains how to handle the risk.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.