October 24, 2016

RUB Researchers Break XML Encryption

(LiveHacking.Com) – Researchers from the Ruhr University Bochum (RUB), one of the largest universities in Germany, have exploited a weakness in the Cipher Block Chaining (CBC) mode of the encryption standard used to encode XML. The result is that web services which rely on XML Encryption are now potentially unsafe.

Juraj Somorovsky and Tibor Jager discovered that by sending modified ciphertexts to a server and analyzing the error messages received they were able to decrypt the original XML data. They tested their attack against a popular open source implementation of XML Encryption, and against the implementations of companies that responded to the responsible disclosure. In all cases the attack works and the XML Encryption was broken.

“There is no simple patch for this problem”, states Somorovsky. “We therefore propose to change the standard as soon as possible.”

It is worth noting that the attack only works when AES is used for encryption in the CBC mode. XML encryption also supports Tripled DES.

The researchers informed all possibly affected companies through the mailing list of W3C, following a clear responsible disclosure process. With some companies there were intensive discussions on workarounds.