How to Break XML Encryption - Automatically

In the recent years, XML Encryption became a target of several new attacks [18, 17, 16]. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order to protect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard. Unfortunately, most of the current XML Encryption implementations do not support the newest XML Encryption specification and offer different XML Security configurations to protect confidentiality of the exchanged messages. Resulting from the attack complexity, evaluation of the security configuration correctness becomes tedious and error prone. Validation of the applied countermeasures can typically be made with numerous XML messages provoking incorrect behavior by decrypting XML content. Up to now, this validation was only manually possible. In this paper, we systematically analyze the chosenciphertext attacks on XML Encryption and design an algorithm to perform a vulnerability scan on arbitrary encrypted XML messages. The algorithm can automatically detect a vulnerability and exploit it to retrieve the plaintext of a message protected by XML Encryption. To assess practicability of our approach, we implemented an open source attack plugin for Web Service attacking tool called WS-Attacker. With the plugin, we discovered new security problems in four out of five analyzed Web Service implementations, including IBM Datapower or Apache CXF.

[1]  Juraj Somorovsky,et al.  On the insecurity of XML Security , 2014, it Inf. Technol..

[2]  Kenneth G. Paterson,et al.  Plaintext-Recovery Attacks Against Datagram TLS , 2012, NDSS.

[3]  Donald E. Eastlake,et al.  XML-Signature Syntax and Processing , 2001, RFC.

[4]  Kenneth G. Paterson,et al.  One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography , 2013, NDSS.

[5]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[6]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[7]  Erik Tews,et al.  Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks , 2014, USENIX Security Symposium.

[8]  Graham Steel,et al.  Efficient Padding Oracle Attacks on Cryptographic Hardware , 2012, IACR Cryptol. ePrint Arch..

[9]  Nils Gruschka,et al.  SOA and Web Services: New Technologies, New Standards - New Attacks , 2007, ECOWS 2007.

[10]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[11]  Morris J. Dworkin,et al.  SP 800-38D. Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC , 2007 .

[12]  Jörg Schwenk,et al.  Your Software at my Service: Security Analysis of SaaS Single Sign-On Solutions in the Cloud , 2014, CCSW.

[13]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[14]  Tibor Jager,et al.  Bleichenbacher's Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption , 2012, ESORICS.

[15]  Thai Duong,et al.  Practical Padding Oracle Attacks , 2010, WOOT.

[16]  Tibor Jager,et al.  How to break XML encryption , 2011, CCS '11.

[17]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[18]  Steven J. DeRose,et al.  XML Path Language (XPath) , 1999 .

[19]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[20]  Kenneth G. Paterson,et al.  On the Joint Security of Encryption and Signature in EMV , 2012, CT-RSA.

[21]  Michael K. Reiter,et al.  Cross-Tenant Side-Channel Attacks in PaaS Clouds , 2014, CCS.

[22]  Jörg Schwenk,et al.  Penetration Testing Tool for Web Services Security , 2012, 2012 IEEE Eighth World Congress on Services.

[23]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[24]  Nils Gruschka,et al.  Vulnerable Cloud: SOAP Message Security Validation Revisited , 2009, 2009 IEEE International Conference on Web Services.

[25]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[26]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[27]  Jörg Schwenk,et al.  On Breaking SAML: Be Whoever You Want to Be , 2012, USENIX Security Symposium.

[28]  Jörg Schwenk,et al.  XSpRES - Robust and Effective XML Signatures for Web Services , 2012, CLOSER.

[29]  Jörg Schwenk,et al.  A New Approach towards DoS Penetration Testing on Web Services , 2013, 2013 IEEE 20th International Conference on Web Services.

[30]  Nils Gruschka,et al.  A survey of attacks on web services , 2009, Computer Science - Research and Development.

[31]  Burton S. Kaliski,et al.  PKCS #1: RSA Encryption Version 1.5 , 1998, RFC.

[32]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[33]  Steven J. DeRose,et al.  XML Path Language (XPath) Version 1.0 , 1999 .

[34]  Jörg Schwenk,et al.  Technical Analysis of Countermeasures against Attack on XML Encryption -- or -- Just Another Motivation for Authenticated Encryption , 2012, 2012 IEEE Eighth World Congress on Services.