Last Updated on October 23, 2011

We have not completely assimilated the BEAST vulnerability, and here it comes, from Bochum, Germany, another serious flaw involving Encryption, or better, involving XML Encryption.

XML Encryption, is a W3C standard widely used to securely transmit information inside Application-to-Application Web services connections. It was believed to be a robust standard mechanism to protect data exchange between a wide class of applications using web services and deployed in different sectors, for instance business, e-commerce, financial, healthcare, governmental and military applications. For the generic user a typical scenario involves, for example, credit card information encryption for a payment within an XML-based purchase order.

Unfortunately it lools like the mechanism is not so robust as it was supposed to be, and the discovery comes from Juraj Somorovsky and Tibor Jager, two Researchers at the Ruhr University of Bochum (RUB) who were successful in cracking parts of the XML encryption process used in web services, thus making it possible to decrypt encrypted data. They demonstrated their work at the ACM Conference on Computer and Communications Security in Chicago this week.

As far as the attack technique is concerned, once again CBC (Cipher-Block Chaining) is indicted since the new discovered vulnerability, as in case of the BEAST attack, is exploitable only in this encryption mode.

The attack strategy seems very similar to the one behind the BEAST Attack and allows to decrypt data, encrypted in AES-CBC, by sending modified ciphertexts to the server, and gathering information from the received error messages using the cryptographic weakness of the CBC mode, in particular the fact that, by conveniently manipulating the IV, ciphertexts encrypted in CBC mode can be modified so that the resulting ciphertext is related to the original ciphertext in a certain way (see the description of the BEAST attack for an example).

So, by choosing a given ciphertext, the attacker is able to recover the entire plaintext and the only prerequisite requires the availability of what the researchers define an “oracle”, that is a pattern telling the attacker if a given ciphertext contains a “correctly formed” plaintext that is a valid encoding (e.g. in UTF-8 or ASCII) of a message. Even worse XML signature is not able to mitigate the attack.

In their paper the authors showed that a moderately optimized implementation of the attack was able to decrypt 160 bytes of encrypted data within 10 seconds by issuing 2,137 queries to the Web Service, morever the complexity of the attack grows only linearly with the ciphertext size, thus allowing to recover a larger plaintext of 1,600 bytes takes about 100 seconds and 23,000 queries.

The proof of concept has been performed on a Web Service based on the Apache Axis2 XML framework and verified on JBoss, but many other vendors are affected, that is the reason why the two researchers announced the vulnerability to the W3C XML Encryption Working Group in February 2011. Vendors affected include the above mentioned Apache Software Foundation (Apache Axis2), RedHat Linux (JBoss), but also IBM and Microsoft.

Unfortunately fixing the flaw will not be that easy, the only suitable way is to replace CBC mode by using a symmetric cryptographic primitive providing confidentiality and integrity, this means to change the XML Encryption standard!

The 2011

Related articles

• Researchers crack W3C encryption standard for XML (arstechnica.com)
• XML Encryption Broken, Need To Fix W3C Standard (it.slashdot.org)
• The Beauty (RC4) and The BEAST (TLS) (paulsparrows.wordpress.com)