XML Encryption cracked, exposing real threat to online transactions
German researchers have demonstrated a technique for breaking the encryption widely used to secure data in online transactions, which they say “poses a serious and truly practical security threat on all currently used implementations of XML Encryption.”
The attack is able to recover 160 bytes of plain-text message in 10 seconds and decrypt larger amounts of data at the same pace, the researchers said.
Although the attack, described in a paper delivered last week at the ACM Conference on Computer and Communications Security in Chicago, was directed against the XML Encryption standard, it exploits weaknesses in the cipher-block chaining (CBC) mode of operation that is commonly used with many cryptographic algorithms. This makes it likely it could be used against non-XML implementations as well.
Team cracks chips used in military, aerospace systems
“I would not be surprised to see variants of this attack applied to other protocols, when CBC mode is used in similar context,” Thomas Roessler of the World Wide Web Consortium, which developed the XML Encryption standard in 2002, wrote in a recent blog posting.
Because there apparently are no effective countermeasures except for avoiding cipher-block chaining, “fixing current implementations or developing secure new implementations without changing the XML Encryption standard seems nontrivial,” the researchers, Tibor Jager and Juraj Somorovsky of Ruhr-University Bochum, wrote.
Such a standard upgrade already is under way. Roessler wrote that the W3C’s XML Security Working Group is considering changing the set of mandatory algorithms used in XML Encryption to include use of only non-CBC modes of operation.
XML, the Extensible Markup Language, is a widely used syntax for structuring data in online transactions. The encryption standard is not specific to any encryption algorithm but can be used with standard block ciphers such as the Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES).
The standard specifies processes for encrypting and decrypting XML data and is called by Jager and Somorovsky the de facto standard for encrypting data in complex distributed transactions.
Their attack is based on a broader type of exploit called the “padding oracle attack,” and relies on data returned in error messages by Web services when decrypting invalid ciphertext.
“It exploits a subtle correlation between the block cipher mode of operation, the character encoding of encrypted text, and the response behaviour of a Web Service if an XML message cannot be parsed correctly,” the researchers wrote.
The demonstration attack described in the paper was conducted against a Web service platform using the Apache Axis2 XML framework, a popular real-world framework. It was able to decrypt ciphertext with only 14 requests per plain-text byte recovered, on average, requiring about a second to recover 16 bytes.
Jager and Somorovsky said the attack was revealed in February to the XML Encryption Working Group and to some vendors and implementers, including the Apache Software Foundation, Red Hat Linux, IBM, Microsoft, and a government Computer Emergency Response Team, which notified other CERTs.
“All have acknowledged the validity of our attack,” they wrote.
Avoiding the use of cipher-block chaining is comparatively simple fix for the problem, but because CBC is such as widely used mode of encryption, “this may bring deployment and backwards compatibility issues,” Jager and Somorovsky wrote.
But because the XML Encryption standard is not specific to any algorithm or mode of operation, the change to eliminate CBC use should be simple to make, Roessler said.
“This is a small change, exactly because XML Encryption is designed to work with arbitrary cryptographic algorithms,” he wrote in the blog. “The ability to swap cryptographic algorithms as we learn more about them, without having to change the frameworks that we put around them,” provides much-needed flexibility. “XML Encryption got that right.”