Researchers Demo XML Encryption Hack

Researchers last week described a cipher-block chaining (CBC) attack via the XML Encryption standard that could compromise secure online transactions.

"The attack method "poses a serious and truly practical security threat on all currently used implementations of XML Encryption." It is able to recover 160 bytes of plain-text message in 10 seconds and decrypt larger amounts of data at the same pace, the researchers said.

"Although the attack, described in a paper delivered last week at the ACM Conference on Computer and Communications Security in Chicago, was directed against the XML Encryption standard, it exploits weaknesses in the cipher-block chaining (CBC) mode of operation that is commonly used with many cryptographic algorithms. This makes it likely it could be used against non-XML implementations as well.

""I would not be surprised to see variants of this attack applied to other protocols, when CBC mode is used in similar context," Thomas Roessler of the World Wide Web Consortium, which developed the XML Encryption standard in 2002, wrote in a recent blog posting.

"Because there apparently are no effective countermeasures except for avoiding cipher-block chaining, "fixing current implementations or developing secure new implementations without changing the XML Encryption standard seems nontrivial," the researchers, Tibor Jager and Juraj Somorovsky of Ruhr-University Bochum, wrote.

"Such a standard upgrade already is under way. Roessler wrote that the W3C's XML Security Working Group is considering changing the set of mandatory algorithms used in XML Encryption to include use of only non-CBC modes of operation.

"XML, the Extensible Markup Language, is a widely used syntax for structuring data in online transactions. The encryption standard is not specific to any encryption algorithm but can be used with standard block ciphers such as the Advanced Encryption Standard (AES) and the Triple Data Encryption Standard (3DES).

"The standard specifies processes for encrypting and decrypting XML data and is called by Jager and Somorovsky the de facto standard for encrypting data in complex distributed transactions.

"Their attack is based on a broader type of exploit called the "padding oracle attack," and relies on data returned in error messages by Web services when decrypting invalid ciphertext.

""It exploits a subtle correlation between the block cipher mode of operation, the character encoding of encrypted text, and the response behaviour of a Web Service if an XML message cannot be parsed correctly," the researchers wrote.

"The demonstration attack described in the paper was conducted against a Web service platform using the Apache Axis2 XML framework, a popular real-world framework. It was able to decrypt ciphertext with only 14 requests per plain-text byte recovered, on average, requiring about a second to recover 16 bytes.

"Jager and Somorovsky said the attack was revealed in February to the XML Encryption Working Group and to some vendors and implementers, including the Apache Software Foundation, Red Hat Linux, IBM, Microsoft, and a government Computer Emergency Response Team, which notified other CERTs.

""All have acknowledged the validity of our attack," they wrote.

"Avoiding the use of cipher-block chaining is comparatively simple fix for the problem, but because CBC is such as widely used mode of encryption, "this may bring deployment and backwards compatibility issues," Jager and Somorovsky wrote.

"But because the XML Encryption standard is not specific to any algorithm or mode of operation, the change to eliminate CBC use should be simple to make, Roessler said.

"This is a small change, exactly because XML Encryption is designed to work with arbitrary cryptographic algorithms," he wrote in the blog. "The ability to swap cryptographic algorithms as we learn more about them, without having to change the frameworks that we put around them," provides much-needed flexibility. "XML Encryption got that right."

About the Author

William Jackson is the senior writer for Government Computer News (


  • Tamper Protection Now Available to Microsoft Defender ATP Subscribers

    The Microsoft Defender Advanced Threat Protection (ATP) E5 subscription plan now has an optional "tamper protection" security feature, Microsoft announced on Monday.

  • Exploring OCR, a New Way To Get Data into Excel

    Microsoft recently added a new optical character recognition feature to Excel that lets users import data from a photograph taken from a smartphone. Here's how to use it.

  • Microsoft Authenticator App To Get Real-Time Phishing Protections

    Microsoft is working on adding capabilities to its Microsoft Authenticator app to help defeat security breaches enabled by advanced attack techniques, including phishing and man-in-the-middle methods.

  • A Quicker Way To Create Hyper-V Inventory Reports

    If you need to generate Hyper-V inventory reports but don't want the hassle of writing your own custom PowerShell script, here is a shortcut.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.