Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Security Bug Encryption IT

XML Encryption Broken, Need To Fix W3C Standard 80

Posted by timothy from the let's-keep-this-in-the-open dept.
gzipped_tar writes "Researchers from Ruhr University Bochum demonstrated the insecurity of XML encryption standard at ACM Conference on Computer and Communications Security in Chicago this week. 'Everything is insecure,' is the uncomfortable message from Bochum. As pointed out by the Ars Technica article, XML Encryption is used widely as part of server-to-server Web services connections to transmit secure information mixed with non-sensitive data, based on cipher-block chaining. But it is apparently too weak, as demonstrated by Juraj Somorovsky and Tibor Jager. They were able to decrypt data by sending modified ciphertexts to the server by gathering information from the received error messages. The attack was tested against a popular open source implementation of XML Encryption, and against the implementations of companies that responded to the responsible disclosure — in all cases the result was the same: the attack worked. Fixing the vulnerability will require a revision of the W3C XML encryption standard, Somorovsky said. The researchers informed all possibly affected companies through the mailing list of W3C, following a clear responsible disclosure process."
This discussion has been archived. No new comments can be posted.

XML Encryption Broken, Need To Fix W3C Standard More

XML Encryption Broken, Need To Fix W3C Standard

Comments Filter:

  • Why is there such a thing as XML encryption? (Score:5, Insightful)

    by SpazmodeusG ( 1334705 ) on Saturday October 22, 2011 @03:17AM (#37802282)

    Use encryption algorithms to encrypt data.

    Use document formats to contain data.

    But don't go creating specific encryption algorithms for specific document formats. That's just reinventing the wheel.

  • Re:Never was a good idea (Score:2, Insightful)

    by Anonymous Coward on Saturday October 22, 2011 @03:31AM (#37802320)

    XML is like violence: if it doesn't solve the problem, use more!

    Is it just me, or did this saying lose its pithiness about 6 months ago?

    I'm afraid it's just you. For the rest of us, it lost its pithiness 6 years ago.

  • More layers required (Score:4, Insightful)

    by dutchwhizzman ( 817898 ) on Saturday October 22, 2011 @03:47AM (#37802364)
    Depending on only encryption in this case proves to be weak. Using more layers, like IP firewalls and authorization will help mitigate this. The attacker needs to inject XML into the server to get error responses. If that's not possible due to a firewall, or replies will not be generated due to lack of authorization, it will be a lot harder to get data required to crack the encryption.

  • Re:Why is there such a thing as XML encryption? (Score:5, Insightful)

    by Schmorgluck ( 1293264 ) on Saturday October 22, 2011 @07:31AM (#37802990)

    XML is very useful as an unified markup language. I'm fond of its versatility, relative legibility, and yeah, the various applications that are made to apply to itself especially Schema and XSLT. But it's not relevant to everything, and theres a fad to use it even where it's stupid.

    Some times ago, in GNU/Linux Magazine France, someone who signed "Jean-Pierre Troll" wrote an article to protest against the tendancy to put XML everywhere. He for example rightfully shot down XML as a programming language, and as a way to carry binary data. Even for the transmission of structured text data, JSON is a better solution in most cases.

    Said Jean-Pierre Troll wrote that the best reason to use XML is to be able to transform the data with XSLT. I tend to agree. If this possibility is not to be considered, then XML may not be the best solution.

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close