# XML Security Working Group Teleconference

## 08 Nov 2011

[Agenda][3]

See also: [IRC log][4]

## Attendees

Present

    Frederick_Hirsch, Gerald_Edgar, Pratik_Datta, Scott_Cantor, Hal_Lockhart,
Ed_Simon, Brian_LaMacchia

Regrets


Chair

    Frederick_Hirsch

Scribe

    fjh

## Contents

  * [Topics][5]

    1. [Administrative][6]

    2. [Minutes Approval][7]

    3. [CBC Attack][8]

    4. [XML Encryption 1.1 test cases and interop][9]

    5. [XML Security 2.0][10]

    6. [Action review][11]

    7. [Issues][12]

    8. [Other Business][13]

    9. [Adjourn][14]

  * [Summary of Action Items][15]

* * *

<trackbot> Date: 08 November 2011

ISSUE: CBC attack on XML Encryption,
[http://www.nds.rub.de/research/publications/breaking-xml-encryption/][16]

<trackbot> Created ISSUE-230 - CBC attack on XML Encryption,
[http://www.nds.rub.de/research/publications/breaking-xml-encryption/][16] ;
please complete additional details at
[http://www.w3.org/2008/xmlsec/track/issues/230/edit][17] .

<scribe> ScribeNick: fjh

### Administrative

added the 1.1 and 2.0 test case editors drafts to the XML Security WG
publications wiki, see
[http://www.w3.org/2008/xmlsec/wiki/PublicationStatus#Publications][18]

No call 22 November.

proposed RESOLUTION: Cancel teleconference on 15 November 2011.

**RESOLUTION: Cancel teleconference on 15 November 2011**

next call will be 29 November

### Minutes Approval

Approve minutes, 18 October 2011

[http://lists.w3.org/Archives/Public/public-
xmlsec/2011Nov/att-0002/minutes-2011-10-18.html][19]

**RESOLUTION: Minutes from 18 October 2011 are approved.**

### CBC Attack

paper describing the CBC attack on XML Encryption is available at
[http://www.nds.rub.de/research/publications/breaking-xml-encryption/][16]

blog post,
[http://www.w3.org/QA/2011/10/some_notes_on_the_recent_xml_e.html][20]

Potential means to mitigate attack, [http://lists.w3.org/Archives/Public
/public-xmlsec/2011Nov/0000.html][21]

Make GCM mandatory in 1.1? proposal: [http://lists.w3.org/Archives/Member
/member-xmlsec/2011Oct/0000.html][22]

ACTION-850?

<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security
considerations and propose changes in light of today's discussion -- due
2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/850][23]

fjh: any reason not to make GCM mandatory?

hal: lack of implementation

brich: open source bouncy castle might include it

... got feedback that it would be improper to use in streaming mode, need to
verify tag before returning any cleartext data

... could impact large xml document - need to buffer clear text until end

hal: what if you only want encryption property

... what is the actual security use case

scantor: difference between returning data while computing integrity versus
waiting to return it until end

hal: dangerous if application starts using data before integrity is clear

... if we make GCM mandatory also need something else to allow streaming

bal: gcm for all plaintext not sections

... can expect gcm first, then streaming will be an issue

fjh: so we can use gcm for small items, then have issue for streaming of large
message

... need to make AES-GCM mandatory then have another alg for streaming

scantor: AES-GCM is not in the mainline openssl now, might be in future
release

... might need to discuss with vendors adding AES-GCM reports to existing
implementations before making mandatory

<scribe> **ACTION:** fjh to talk with thomas about encouraging implementation
support for AES-GCM in existing algorithms [recorded in
[http://www.w3.org/2011/11/08-xmlsec-minutes.html#action01][24]]

<trackbot> Created ACTION-854 - Talk with thomas about encouraging
implementation support for AES-GCM in existing algorithms [on Frederick Hirsch
- due 2011-11-15].

<brich> +1 for GCM as MTI in Enc1.1

fjh: what should we do here with regard to making GCM mandatory

... what is situation for WS*

bal: spoke at conference when presentation of attack was made, giving update
on WG effort, and noting changes

... could have made GCM mandatory months ago

fjh: we decided not do so to implementation concerns

scantor: not all implmentations are worried about compiance

... have other mitigations in mind, not critical issue for SAML

fjh: is there any objection to making AES-GCM mandatory in 1.1

bal: not an interop problem; if CBC no longer mandatory that would be an issue

fjh: need warning about CBC in spec, even if mandatory

scantor: bigger concern is streaming, especially for 2.0

<Hal> + 1 for GCM MTI

**RESOLUTION: change XML Encryption 1.1 to make AES-GCM mandatory to
implement, add note regarding risk with CBC**

bal also +1 GCM MTI

<scribe> **ACTION:** fjh to update XML Encryption 1.1 draft for AES-GCM
mandatory to implement [recorded in [http://www.w3.org/2011/11/08-xmlsec-
minutes.html#action02][25]]

<trackbot> Created ACTION-855 - Update XML Encryption 1.1 draft for AES-GCM
mandatory to implement [on Frederick Hirsch - due 2011-11-15].

fjh: need to be considering algorithm agility going forward

hal: e.g. we might find another channel besides errors and timing

fjh: hal, you can incorporate material from pdatta message on countermeasures
as well

... can anyone help with streaming encryption algorithm?

<pdatta> preventing reuse of content encryption key

<Ed_Simon> * Ed_Simon: signing off

<scantor> many stds use per-message keys, and already include the need for
replay/nonce checks, so enforcing that per-key is a small addition

hal: when streaming something like a movie, don't care about integrity, more
about encryption, so this seems to be a new requirement

brich: sign then encrypt

... cbc attack still works here

<scribe> **ACTION:** bal to discuss with magnus possible encryption algorithms
suitable for streaming [recorded in [http://www.w3.org/2011/11/08-xmlsec-
minutes.html#action03][26]]

<trackbot> Created ACTION-856 - Discuss with magnus possible encryption
algorithms suitable for streaming [on Brian LaMacchia - due 2011-11-15].

pdatta: implementation needs to know it is streaming, could use GCM but choose
to process without waiting until end

[http://en.wikipedia.org/wiki/Galois/Counter_Mode][27]

<scribe> **ACTION:** pdatta to ask regarding risk of use of GCM without
checking tag during processing [recorded in [http://www.w3.org/2011/11/08
-xmlsec-minutes.html#action04][28]]

<trackbot> Created ACTION-857 - Ask regarding risk of use of GCM without
checking tag during processing [on Pratik Datta - due 2011-11-15].

### XML Encryption 1.1 test cases and interop

[http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0018.html][29]

Please review and provide feedback on these test cases

<pdatta> would like other vendors to actually run their implementations on
these test cases

### XML Security 2.0

fjh: question about moving algorithms out of 2.0 for agility purposes, but
might make it more confusing

pdatta: but this is signature not encryption

hal: typically don't add mandatory algorithm, but change algorithm in spec
from optional to mandatory

fjh: so don't think we need to pull document apart for this, could be more
work and more confusing than needed

pdatta: 2.0 is waiting for implementations

### Action review

ACTION-238?

<trackbot> ACTION-238 -- Thomas Roessler to update the proposal associated
with ACTION-222 and send to list. -- due 2011-09-30 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/238][30]

ACTION-717?

<trackbot> ACTION-717 -- Pratik Datta to document the Performance improvements
with 2.0 -- due 2010-11-09 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/717][31]

ACTION-840?

<trackbot> ACTION-840 -- Pratik Datta to update XML Signature 1.1 and 2.0 with
change in [http://lists.w3.org/Archives/Public/public-
xmlsec/2011Oct/0006.html][32] -- due 2011-10-11 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/840][33]

ACTION-840: done

<trackbot> ACTION-840 Update XML Signature 1.1 and 2.0 with change in
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html][32]
notes added

close ACTION-840

<trackbot> ACTION-840 Update XML Signature 1.1 and 2.0 with change in
[http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html][32]
closed

ACTION-841?

<trackbot> ACTION-841 -- Pratik Datta to add link to canonical XML 2.0 samples
into the spec -- due 2011-10-11 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/841][34]

ACTION-847?

<trackbot> ACTION-847 -- Pratik Datta to propose update to 2.0 algorithm
requirements to encourage authenticating mode -- due 2011-10-18 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/847][35]

ACTION-848?

<trackbot> ACTION-848 -- Bruce Rich to contact OASIS ebXML community regarding
large data issue and GCM -- due 2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/848][36]

ACTION-850?

<trackbot> ACTION-850 -- Hal Lockhart to review XML Encryption 1.1 security
considerations and propose changes in light of today's discussion -- due
2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/850][23]

ACTION-851?

<trackbot> ACTION-851 -- Pratik Datta to propose text regarding KeyLength and
PBKDF2, assuming we do not change the schemna -- due 2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/851][37]

ACTION-853?

<trackbot> ACTION-853 -- Frederick Hirsch to add new security issue later this
week -- due 2011-10-25 -- OPEN

<trackbot> [http://www.w3.org/2008/xmlsec/track/actions/853][38]

close ACTION-853

<trackbot> ACTION-853 Add new security issue later this week closed

ISSUE-230?

<trackbot> ISSUE-230 -- CBC attack on XML Encryption,
[http://www.nds.rub.de/research/publications/breaking-xml-encryption/][16] --
open

<trackbot> [http://www.w3.org/2008/xmlsec/track/issues/230][39]

### Issues

ISSUE-229?

<trackbot> ISSUE-229 -- Mask generation function for RSA-OAEP as defined in
5.5.2 of XML Encryption 1.1 appears to be limited to MGF1 with SHA1 -- open

<trackbot> [http://www.w3.org/2008/xmlsec/track/issues/229][40]

fjh: believe we have dealt with this one, will double check

other issues remain relevant

### Other Business

none

### Adjourn

## Summary of Action Items

**[NEW]** **ACTION:** bal to discuss with magnus possible encryption
algorithms suitable for streaming [recorded in [http://www.w3.org/2011/11/08
-xmlsec-minutes.html#action03][26]]

**[NEW]** **ACTION:** fjh to talk with thomas about encouraging implementation
support for AES-GCM in existing algorithms [recorded in
[http://www.w3.org/2011/11/08-xmlsec-minutes.html#action01][24]]

**[NEW]** **ACTION:** fjh to update XML Encryption 1.1 draft for AES-GCM
mandatory to implement [recorded in [http://www.w3.org/2011/11/08-xmlsec-
minutes.html#action02][25]]

**[NEW]** **ACTION:** pdatta to ask regarding risk of use of GCM without
checking tag during processing [recorded in [http://www.w3.org/2011/11/08
-xmlsec-minutes.html#action04][28]]


[End of minutes]

* * *

Minutes formatted by David Booth's [scribe.perl][41] version 1.135 ([CVS
log][42])

$Date: 2009-03-02 03:52:20 $

   [1]: http://www.w3.org/Icons/w3c_home

   [2]: http://www.w3.org/

   [3]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0003.html

   [4]: http://www.w3.org/2011/11/08-xmlsec-irc

   [5]: #agenda

   [6]: #item01

   [7]: #item02

   [8]: #item03

   [9]: #item04

   [10]: #item05

   [11]: #item06

   [12]: #item07

   [13]: #item08

   [14]: #item09

   [15]: #ActionSummary

   [16]: http://www.nds.rub.de/research/publications/breaking-xml-encryption/

   [17]: http://www.w3.org/2008/xmlsec/track/issues/230/edit

   [18]: http://www.w3.org/2008/xmlsec/wiki/PublicationStatus#Publications

   [19]: http://lists.w3.org/Archives/Public/public-
xmlsec/2011Nov/att-0002/minutes-2011-10-18.html

   [20]: http://www.w3.org/QA/2011/10/some_notes_on_the_recent_xml_e.html

   [21]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Nov/0000.html

   [22]: http://lists.w3.org/Archives/Member/member-xmlsec/2011Oct/0000.html

   [23]: http://www.w3.org/2008/xmlsec/track/actions/850

   [24]: http://www.w3.org/2011/11/08-xmlsec-minutes.html#action01

   [25]: http://www.w3.org/2011/11/08-xmlsec-minutes.html#action02

   [26]: http://www.w3.org/2011/11/08-xmlsec-minutes.html#action03

   [27]: http://en.wikipedia.org/wiki/Galois/Counter_Mode

   [28]: http://www.w3.org/2011/11/08-xmlsec-minutes.html#action04

   [29]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0018.html

   [30]: http://www.w3.org/2008/xmlsec/track/actions/238

   [31]: http://www.w3.org/2008/xmlsec/track/actions/717

   [32]: http://lists.w3.org/Archives/Public/public-xmlsec/2011Oct/0006.html

   [33]: http://www.w3.org/2008/xmlsec/track/actions/840

   [34]: http://www.w3.org/2008/xmlsec/track/actions/841

   [35]: http://www.w3.org/2008/xmlsec/track/actions/847

   [36]: http://www.w3.org/2008/xmlsec/track/actions/848

   [37]: http://www.w3.org/2008/xmlsec/track/actions/851

   [38]: http://www.w3.org/2008/xmlsec/track/actions/853

   [39]: http://www.w3.org/2008/xmlsec/track/issues/230

   [40]: http://www.w3.org/2008/xmlsec/track/issues/229

   [41]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm

   [42]: http://dev.w3.org/cvsweb/2002/scribe/