How to Break XML En­cryp­ti­on - Au­to­ma­ti­cal­ly

Den­nis Kup­ser, Chris­ti­an Main­ka, Jörg Schwenk, Juraj So­mo­rovs­ky

In Pro­cee­dings of the 9th USE­NIX Work­shop on Of­fen­si­ve Tech­no­lo­gies (WOOT), 2015


Ab­stract

In the re­cent years, XML En­cryp­ti­on be­ca­me a tar­get of se­ver­al new at­tacks. These at­tacks be­long to the fa­mi­ly of ad­ap­ti­ve cho­sen-ci­pher­text at­tacks, and allow an ad­versa­ry to de­crypt sym­me­tric and asym­me­tric XML ci­pher­texts, wi­thout knowing the secret keys. In order to pro­tect XML En­cryp­ti­on im­ple­men­ta­ti­ons, the World Wide Web Con­sor­ti­um (W3C) pu­blis­hed an up­dated ver­si­on of the stan­dard.

Un­for­t­u­n­a­te­ly, most of the cur­rent XML En­cryp­ti­on im­ple­men­ta­ti­ons do not sup­port the ne­west XML En­cryp­ti­on spe­ci­fi­ca­ti­on and offer dif­fe­rent XML Se­cu­ri­ty con­fi­gu­ra­ti­ons to pro­tect con­fi­den­tia­li­ty of the ex­chan­ged mes­sa­ges. Re­sul­ting from the at­tack com­ple­xi­ty, eva­lua­ti­on of the se­cu­ri­ty con­fi­gu­ra­ti­on cor­rect­ness be­co­mes te­dious and error prone. Va­li­da­ti­on of the ap­p­lied coun­ter­me­a­su­res can ty­pi­cal­ly be made with nu­me­rous XML mes­sa­ges pro­vo­king in­cor­rect be­ha­vi­or by de­crypt­ing XML con­tent. Up to now, this va­li­da­ti­on was only ma­nual­ly pos­si­ble.

In this paper, we sys­te­ma­ti­cal­ly ana­ly­ze the cho­sen-ci­pher­text at­tacks on XML En­cryp­ti­on and de­sign an al­go­rithm to per­form a vul­nerabi­li­ty scan on ar­bi­tra­ry en­cryp­ted XML mes­sa­ges. The al­go­rithm can au­to­ma­ti­cal­ly de­tect a vul­nerabi­li­ty and ex­ploit it to re­trie­ve the plain­text of a mes­sa­ge pro­tec­ted by XML En­cryp­ti­on. To as­sess prac­tica­bi­li­ty of our ap­proach, we im­ple­men­ted an open sour­ce at­tack plu­gin for Web Ser­vice at­ta­cking tool cal­led WS-At­ta­cker. With the plu­gin, we dis­co­ver­ed new se­cu­ri­ty pro­blems in four out of five ana­ly­zed Web Ser­vice im­ple­men­ta­ti­ons, in­clu­ding IBM Da­ta­power or Apa­che CXF.

The di­stri­bu­ted do­cu­ment has been pro­vi­ded by the cont­ri­bu­ting aut­hors as a means to en­su­re ti­me­ly dis­se­mi­na­ti­on of scho­lar­ly and tech­ni­cal work on a non­com­mer­ci­al basis. Co­py­right and all rights the­r­ein are main­tained by the aut­hors or by other co­py­right hol­ders, not­wi­th­stan­ding that they have of­fe­red their works here elec­tro­ni­cal­ly. It is un­ders­tood that all per­sons co­py­ing this in­for­ma­ti­on will ad­he­re to the terms and cons­traints in­vo­ked by each aut­hor's co­py­right. These works may not be re­pos­ted wi­thout the ex­pli­cit per­mis­si­on of the co­py­right hol­der.

[pdf]

Tags: ad­ap­ti­ve cho­sen-ci­pher­text at­tacks, WS-At­ta­cker, XML En­cryp­ti­on