XML Encryption Broken, Need To Fix W3C Standard 80
gzipped_tar writes "Researchers from Ruhr University Bochum demonstrated the insecurity of XML encryption standard at ACM Conference on Computer and Communications Security in Chicago this week. 'Everything is insecure,' is the uncomfortable message from Bochum. As pointed out by the Ars Technica article, XML Encryption is used widely as part of server-to-server Web services connections to transmit secure information mixed with non-sensitive data, based on cipher-block chaining. But it is apparently too weak, as demonstrated by Juraj Somorovsky and Tibor Jager. They were able to decrypt data by sending modified ciphertexts to the server by gathering information from the received error messages. The attack was tested against a popular open source implementation of XML Encryption, and against the implementations of companies that responded to the responsible disclosure — in all cases the result was the same: the attack worked. Fixing the vulnerability will require a revision of the W3C XML encryption standard, Somorovsky said. The researchers informed all possibly affected companies through the mailing list of W3C, following a clear responsible disclosure process."
Why is there such a thing as XML encryption? (Score:5, Insightful)
Use encryption algorithms to encrypt data.
Use document formats to contain data.
But don't go creating specific encryption algorithms for specific document formats. That's just reinventing the wheel.
Re:Never was a good idea (Score:2, Insightful)
XML is like violence: if it doesn't solve the problem, use more!
Is it just me, or did this saying lose its pithiness about 6 months ago?
I'm afraid it's just you. For the rest of us, it lost its pithiness 6 years ago.
More layers required (Score:4, Insightful)
Re:Why is there such a thing as XML encryption? (Score:5, Insightful)
XML is very useful as an unified markup language. I'm fond of its versatility, relative legibility, and yeah, the various applications that are made to apply to itself especially Schema and XSLT. But it's not relevant to everything, and theres a fad to use it even where it's stupid.
Some times ago, in GNU/Linux Magazine France, someone who signed "Jean-Pierre Troll" wrote an article to protest against the tendancy to put XML everywhere. He for example rightfully shot down XML as a programming language, and as a way to carry binary data. Even for the transmission of structured text data, JSON is a better solution in most cases.
Said Jean-Pierre Troll wrote that the best reason to use XML is to be able to transform the data with XSLT. I tend to agree. If this possibility is not to be considered, then XML may not be the best solution.