XML Encryption Cracked, Exposing Real Threat to Online Transactions
Government Computer News (10/24/11) William Jackson
Ruhr-University Bochum researchers have demonstrated a technique for breaking the encryption used to secure data in online transactions, posing a serious threat on all currently used implementations of XML encryption. The attack can recover 160 bytes of a plain-text message in 10 seconds and decrypt larger amounts of data at the same pace, according to the researchers. The attack exploits weaknesses in the cipher-block chaining (CBC) mode of operation that is commonly used with many cryptographic algorithms, making it possible to also use the attack against non-XML implementations. "I would not be surprised to see variants of this attack applied to other protocols, when CBC mode is used in similar context," says the World Wide Web Consortium's (W3C's) Thomas Roessler. The researchers recommend fixing existing CBC implementations or developing secure new implementations without changing the XML Encryption standard. Roessler says such a change should be simple because the XML Encryption standard is not specific to any algorithm or mode of operation. He notes that W3C's XML Security Working Group is developing a set of mandatory algorithms used in XML Encryption to include use of only non-CBC modes of operation.
Government Computer News (10/24/11) William Jackson
Ruhr-University Bochum researchers have demonstrated a technique for breaking the encryption used to secure data in online transactions, posing a serious threat on all currently used implementations of XML encryption. The attack can recover 160 bytes of a plain-text message in 10 seconds and decrypt larger amounts of data at the same pace, according to the researchers. The attack exploits weaknesses in the cipher-block chaining (CBC) mode of operation that is commonly used with many cryptographic algorithms, making it possible to also use the attack against non-XML implementations. "I would not be surprised to see variants of this attack applied to other protocols, when CBC mode is used in similar context," says the World Wide Web Consortium's (W3C's) Thomas Roessler. The researchers recommend fixing existing CBC implementations or developing secure new implementations without changing the XML Encryption standard. Roessler says such a change should be simple because the XML Encryption standard is not specific to any algorithm or mode of operation. He notes that W3C's XML Security Working Group is developing a set of mandatory algorithms used in XML Encryption to include use of only non-CBC modes of operation.
No comments:
Post a Comment