Researchers Demo XML Encryption Hack

Researchers last week described a cipher-block chaining (CBC) attack via the XML Encryption standard that could compromise secure online transactions.

"The attack method "poses a serious and truly practical security threat on all currently used implementations of XML Encryption." It is able to recover 160 bytes of plain-text message in 10 seconds and decrypt larger amounts of data at the same pace, the researchers said.

"Although the attack, described in a paper delivered last week at the ACM Conference on Computer and Communications Security in Chicago, was directed against the XML Encryption standard, it exploits weaknesses in the cipher-block chaining (CBC) mode of operation that is commonly used with many cryptographic algorithms. This makes it likely it could be used against non-XML implementations as well.

""I would not be surprised to see variants of this attack applied to other protocols, when CBC mode is used in similar context," Thomas Roessler of the World Wide Web Consortium, which developed the XML Encryption standard in 2002, wrote in a recent blog posting.

"Because there apparently are no effective countermeasures except for avoiding cipher-block chaining, "fixing current implementations or developing secure new implementations without changing the XML Encryption standard seems nontrivial," the researchers, Tibor Jager and Juraj Somorovsky of Ruhr-University Bochum, wrote.

"Such a standard upgrade already is under way. Roessler wrote that the W3C's XML Security Working Group is considering changing the set of mandatory algorithms used in XML Encryption to include use of only non-CBC modes of operation.

"XML, the Extensible Markup Language, is a widely used syntax for structuring data in online transactions. The encryption standard is not specific to any encryption algorithm but can be used with standard block ciphers such as the Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES).

"The standard specifies processes for encrypting and decrypting XML data and is called by Jager and Somorovsky the de facto standard for encrypting data in complex distributed transactions.

"Their attack is based on a broader type of exploit called the "padding oracle attack," and relies on data returned in error messages by Web services when decrypting invalid ciphertext.

""It exploits a subtle correlation between the block cipher mode of operation, the character encoding of encrypted text, and the response behaviour of a Web Service if an XML message cannot be parsed correctly," the researchers wrote.

"The demonstration attack described in the paper was conducted against a Web service platform using the Apache Axis2 XML framework, a popular real-world framework. It was able to decrypt ciphertext with only 14 requests per plain-text byte recovered, on average, requiring about a second to recover 16 bytes.

"Jager and Somorovsky said the attack was revealed in February to the XML Encryption Working Group and to some vendors and implementers, including the Apache Software Foundation, Red Hat Linux, IBM, Microsoft, and a government Computer Emergency Response Team, which notified other CERTs.

""All have acknowledged the validity of our attack," they wrote.

"Avoiding the use of cipher-block chaining is comparatively simple fix for the problem, but because CBC is such as widely used mode of encryption, "this may bring deployment and backwards compatibility issues," Jager and Somorovsky wrote.

"But because the XML Encryption standard is not specific to any algorithm or mode of operation, the change to eliminate CBC use should be simple to make, Roessler said.

"This is a small change, exactly because XML Encryption is designed to work with arbitrary cryptographic algorithms," he wrote in the blog. "The ability to swap cryptographic algorithms as we learn more about them, without having to change the frameworks that we put around them," provides much-needed flexibility. "XML Encryption got that right."

About the Author

William Jackson is the senior writer for Government Computer News (


  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

  • Microsoft Nudging Out Classic SharePoint Blogs

    So-called "classic" blogs used by SharePoint Online subscribers are on their way toward "retirement," according to Dec. 4 Microsoft Message Center post.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.