Researchers in Germany are urging the World Wide Web Consortium (W3C) to develop an improved XML encryption algorithm following a proof-of-concept of a serious attack against the W3C encryption algorithm.
“There is no simple patch for this problem... We therefore propose to change the standard as soon as possible.”
Juraj Somorovsky, Ruhr-University
Extensible Markup Language (XML) is the standard used for data exchange in most Web applications. XML encryption was designed to protect sensitive data, such as ecommerce transactions and sensitive company information. It operates in conjunction with other security standards, such as XML signature and XML key management (XKMS). IBM, Microsoft and Red Hat Linux use XML encryption. The XML encryption standard is maintained by W3C.
The researchers, from Ruhr-University in Bochum Germany, presented their proof-of-concept attack targeting the XML encryption weaknesses last week at the ACM Conference on Computer and Communications Security in Chicago.
According to the university, Juraj Somorovsky and Tibor Jager exploited a weakness in the XML encryption cipher block chaining (CBC) mode. “We were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages,” the researchers said in a statement."
Reached via email, Jager said "the weakness affects any standard-conformant implementation."
"Depending on the application scenario there may be an ad-hoc fix. For instance, the attack relies on the fact that the adversary is able to distinguish 'valid' from 'invalid' ciphertexts, e.g. by sending the ciphertext to a Web Service and observing the response.If the attacker is not able to do this (e.g. since it would have to login first), then this prevents the attack. But one has to take extreme care with any ad-hoc solutions, since there are many other ways to mount the attack with only minor modifications."
The researchers disclosed their findings before presenting it at the conference. Companies were informed through the W3C mailing list and the researchers worked with some companies on possible workarounds. The attack was tested against a popular open source implementation of XML encryption and the implementations of companies that responded to the responsible disclosure; in all cases the attack succeeded.
“There is no simple patch for this problem,” Somorovsky said in a statement. “We therefore propose to change the standard as soon as possible.” The researchers informed all those possibly affected.
In their paper, “How to break XML Encryption,” Somorovsky and Jager say all possible workarounds are difficult to employ and can be defeated. The CBC mode of operation, which provides message integrity needs to be replaced, they said. Changing the standard will not be easy and could create deployment and backwards compatibility issues, the researchers said.
The complexity of XML encryption has been known to pose potential risks, with the earliest demonstration in 2002. Performance and authentication may introduce problems and attackers have long figured out how to use XML denial-of-service attacks (XDoS) to take down services. To protect against possible attacks, security vendors introduced Web services and XML firewalls to enable companies to apply security policies and antivirus signatures to the raw XML messages.
There is not a large opportunity for attackers to attempt attacks on XML traffic, said Jason Bloomberg, president of McLean, Va.-based ZapThink, a Dovel Technologies Company. Most organizations that accept XML traffic from outside their network put XML firewalls in place. While XML is used widely across the Web, XML encryption is in limited use, because it is processor intensive.
“Instead of having to rely on a protocol that decrypts and encrypts XML other approaches give organizations fine grained control for security within the message,” Bloomberg said.
For example, Amazon provides SOAP based connections for companies that have applications that interact with Amazon’s cloud infrastructure, but other interfaces are available and more widely used.
Attacks have been minimal and mostly proof-of-concept due to their relative sophistication. Last year, researchers Juliano Rizzo and Thai Duong created the Padding Oracle Exploit Tool (POET), which automatically finds and exploits cookie encryption padding vulnerabilities in ASP.NET Web applications. There have been no known attacks reportedly using the tool, although detecting an attack would be difficult and most organizations are not likely to announce a successful breach.