research-article

How to break XML encryption

Authors:

Juraj SomorovskyAuthors Info & Claims

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Pages 413 - 422

https://doi.org/10.1145/2046707.2046756

Published: 17 October 2011 Publication History

Abstract

XML Encryption was standardized by W3C in 2002, and is implemented in XML frameworks of major commercial and open-source organizations like Apache, redhat, IBM, and Microsoft. It is employed in a large number of major web-based applications, ranging from business communications, e-commerce, and financial services over healthcare applications to governmental and military infrastructures. In this work we describe a practical attack on XML Encryption, which allows to decrypt a ciphertext by sending related ciphertexts to a Web Service and evaluating the server response. We show that an adversary can decrypt a ciphertext by performing only 14 requests per plaintext byte on average. This poses a serious and truly practical security threat on all currently used implementations of XML Encryption.

In a sense the attack can be seen as a generalization of padding oracle attacks (Vaudenay, Eurocrypt 2002). It exploits a subtle correlation between the block cipher mode of operation, the character encoding of encrypted text, and the response behaviour of a Web Service if an XML message cannot be parsed correctly.

References

[1]

Black, J., and Urtubia, H. Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption. In USENIX Security Symposium (2002), D. Boneh, Ed., USENIX, pp. 327--338.

Digital Library

[2]

Bray, T., Paoli, J., Sperberg-McQueen, C. M., Maler, E., and Yergeau, F. Extensible Markup Language (XML) 1.0 (Fifth Edition). W3C Recommendation (2008).

[3]

Degabriele, J. P., and Paterson, K. G. Attacking the IPsec standards in encryption-only configurations. In IEEE Symposium on Security and Privacy (2007), IEEE Computer Society, pp. 335--349.

Digital Library

[4]

Degabriele, J. P., and Paterson, K. G. On the (in)security of IPsec in MAC-then-encrypt configurations. In ACM Conference on Computer and Communications Security (2010), E. Al-Shaer, A. D. Keromytis, and V. Shmatikov, Eds., ACM, pp. 493--504.

Digital Library

[5]

Duong, T., and Rizzo, J. Cryptography in the web: The case of cryptographic design flaws in ASP.NET. In IEEE Symposium on Security and Privacy (2011).

Digital Library

[6]

Eastlake, D., Reagle, J., Imamura, T., Dillaway, B., and Simon, E. XML Encryption Syntax and Processing. W3C Recommendation (2002).

[7]

Eastlake, D., Reagle, J., Solo, D., Hirsch, F., and Roessler, T. XML Signature Syntax and Processing (Second Edition). W3C Recommendation (2008).

[8]

Gudgin, M., Hadley, M., Mendelsohn, N., Moreau, J.-J., and Nielsen, H. F. SOAP Version 1.2 Part 1: Messaging Framework. W3C Recommendation (2003).

[9]

JBoss Community. JBoss WS (Web Services Framework for JBoss AS).

[10]

McIntosh, M., and Austel, P. XML signature element wrapping attacks and countermeasures. In SWS '05: Proceedings of the 2005 workshop on Secure web services (New York, NY, USA, 2005), ACM Press, pp. 20--27.

Digital Library

[11]

Mitchell, C. J. Error oracle attacks on cbc mode: Is there a future for cbc mode encryption? In ISC (2005), pp. 244--258.

Digital Library

[12]

Nadalin, A., Kaler, C., Monzillo, R., and Hallam-Baker, P. Web Services Security: SOAP Message Security 1.1 (WS-Security 2004). OASIS Standard (2006).

[13]

Paterson, K. G., and Watson, G. J. Immunising CBC mode against padding oracle attacks: A formal security treatment. In SCN (2008), R. Ostrovsky, R. D. Prisco, and I. Visconti, Eds., vol. 5229 of Lecture Notes in Computer Science, Springer, pp. 340--357.

Digital Library

[14]

Paterson, K. G., and Yau, A. Padding oracle attacks on the ISO CBC mode encryption standard. In Topics in Cryptology -- CT-RSA 2004 (Feb. 2004), T. Okamoto, Ed., vol. 2964 of Lecture Notes in Computer Science, Springer, pp. 305--323.

[15]

Rizzo, J., and Duong, T. Practical padding oracle attacks. In Proceedings of the 4th USENIX conference on Offensive technologies (Berkeley, CA, USA, 2010), WOOT'10, USENIX Association, pp. 1--8.

Digital Library

[16]

Robert A. van Engelen. The gSOAP Toolkit for SOAP Web Services and XML-Based Applications.

[17]

Thai, T., and Lam, H. .NET Framework Essentials. 2001.

Digital Library

[18]

The Apache Software Foundation. Apache Axis2.

[19]

Vaudenay, S. Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS ... In Advances in Cryptology -- EUROCRYPT 2002 (Apr. / May 2002), L. R. Knudsen, Ed., vol. 2332 of Lecture Notes in Computer Science, Springer, pp. 534--546.

Digital Library

[20]

Yau, A. K. L., Paterson, K. G., and Mitchell, C. J. Padding oracle attacks on CBC-mode encryption with secret and random IVs. In Fast Software Encryption -- FSE 2005 (Feb. 2005), H. Gilbert and H. Handschuh, Eds., vol. 3557 of Lecture Notes in Computer Science, Springer, pp. 299--319.

Digital Library

Cited By

Ising FPoddebniak DKappert TSaatjohann CSchinzel SCalandrino JTroncoso C(2023)Content-typeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620471(4175-4192)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620471
Schwenk JSchwenk J(2022)Cryptographic Data FormatsGuide to Internet Cryptography10.1007/978-3-031-19439-9_21(505-523)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_21
Beck GZinkus MGreen MCapkun SRoesner F(2020)Automating the development of chosen ciphertext attacksProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489315(1821-1837)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489315
Show More Cited By

Index Terms

How to break XML encryption
1. Security and privacy
  1. Cryptography
    1. Cryptanalysis and other attacks
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Technical Analysis of Countermeasures against Attack on XML Encryption -- or -- Just Another Motivation for Authenticated Encryption
SERVICES '12: Proceedings of the 2012 IEEE Eighth World Congress on Services

At CCS'11 a new chosen-ciphertext attack on XML Encryption has been presented. This attack is of high relevance, since it allows one to decrypt arbitrary encrypted XML payload by issuing 14 server requests per byte on average. In this paper we discuss ...
A Simple Research of XML Document Secure Encryption
MINES '13: Proceedings of the 2013 Fifth International Conference on Multimedia Information Networking and Security

As XML has become the format standards of the data transfer and exchange, it is very import to ensure the security of this type of file in the process of transmission and exchange. This paper will firstly introduce the technology of XML encryption and ...
How to break XML encryption – automatically
WOOT'15: Proceedings of the 9th USENIX Conference on Offensive Technologies

In the recent years, XML Encryption became a target of several new attacks [18, 17, 16]. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

October 2011

742 pages

ISBN:9781450309486

DOI:10.1145/2046707

General Chair:
Yan Chen
Northwestern University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17 - 21, 2011

Illinois, Chicago, USA

Acceptance Rates

CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

24
Total Citations
View Citations
732
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ising FPoddebniak DKappert TSaatjohann CSchinzel SCalandrino JTroncoso C(2023)Content-typeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620471(4175-4192)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620471
Schwenk JSchwenk J(2022)Cryptographic Data FormatsGuide to Internet Cryptography10.1007/978-3-031-19439-9_21(505-523)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_21
Beck GZinkus MGreen MCapkun SRoesner F(2020)Automating the development of chosen ciphertext attacksProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489315(1821-1837)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489315
Fujita RIsobe TMinematsu K(2020)ACE in Chains: How Risky Is CBC Encryption of Binary Executable Files?Applied Cryptography and Network Security10.1007/978-3-030-57808-4_10(187-207)Online publication date: 27-Aug-2020
https://doi.org/10.1007/978-3-030-57808-4_10
Merget RSomorovsky JAviram NYoung CFliegenschmidt JSchwenk JShavitt YHeninger NTraynor P(2019)Scalable scanning and automatic classification of TLS padding oracle vulnerabilitiesProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361410(1029-1046)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361410
Brenner BWeippl EEkelhart A(2019)A Versatile Security Layer for AutomationML2019 IEEE 17th International Conference on Industrial Informatics (INDIN)10.1109/INDIN41052.2019.8972288(358-364)Online publication date: Jul-2019
https://doi.org/10.1109/INDIN41052.2019.8972288
Engelbertz NErinola NHerring DSomorovsky JMladenov VSchwenk JRossow CYounan Y(2018)Security analysis of eIDAS - the cross-country authentication scheme in europeProceedings of the 12th USENIX Conference on Offensive Technologies10.5555/3307423.3307438(15-15)Online publication date: 13-Aug-2018
https://dl.acm.org/doi/10.5555/3307423.3307438
Jagruti BNidhi PPandya D(2018)A Survey on Webservice Security Techniques2018 4th International Conference on Computing Communication and Automation (ICCCA)10.1109/CCAA.2018.8777462(1-5)Online publication date: Dec-2018
https://doi.org/10.1109/CCAA.2018.8777462
Bordel BOrue AAlcarria RSanchez-De-Rivera D(2018)An Intra-Slice Security Solution for Emerging 5G Networks Based on Pseudo-Random Number GeneratorsIEEE Access10.1109/ACCESS.2018.28155676(16149-16164)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2815567
Detering DSomorovsky JMainka CMladenov VSchwenk J(2017)On The (In-)Security Of JavaScript Object Signing And EncryptionProceedings of the 1st Reversing and Offensive-oriented Trends Symposium10.1145/3150376.3150379(1-11)Online publication date: 16-Nov-2017
https://dl.acm.org/doi/10.1145/3150376.3150379
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents