W3C home > Mailing lists > Public > public-xmlsec@w3.org > July 2012

Security issue in XML Encryption 1.1, Bleichenbacher revisited.

From: <Frederick.Hirsch@nokia.com>
Date: Mon, 23 Jul 2012 21:10:30 +0000
To: <public-xmlsec@w3.org>
CC: <Frederick.Hirsch@nokia.com>
Message-ID: <968F3425-694A-45C6-85A6-3E865ABF4F1E@nokia.com>
>From the recently published paper, "Bleichenbacher’s Attack Strikes Again: Breaking PKCS#1 v1.5 in XML Encryption"


Recently the XML Encryption standard was updated, in response to an attack presented at CCS 2011. The attacks described in this paper work even against the updated version of XML Encryption. Our work shows once more that legacy cryptosystems have to be used with extreme care, and should be avoided wherever possible, since they may lead to practical attacks.


XML Encryption allows the usage of block ciphers in the cipher-block chaining (CBC) mode-of-operation. CBC exhibits a weakness [29] that allows an adversary to make modifications to the encrypted plaintext, by XORing arbitrary bit strings to the plaintext. We show that it is possible to use this weakness as an alternative way to determine whether a PKCS#1 v1.5 ciphertext is “valid” or not.

Besides CBC mode, the updated version of the XML Encryption specification allows to use the GCM mode of operation. This mode was introduced to prevent the attacks from [10]. Interestingly, the CBC- attack we describe in this paper allows to decrypt GCM ciphertexts, too — if the receiving Web Service is able to decrypt CBC ciphertexts, which is mandatory for any standard-compliant implementation. This is due to the fact that we use the PKCS#1 v1.5 weakness in combination with the CBC weakness only to decrypt the session key. After we have obtained this session key, we can decrypt an arbitrary ciphertext, regardless of whether it is encrypted using CBC, GCM, or any other mode-of-operation.


The W3C XML Encryption working group added a remark to the updated standard [5, Section 6.1.2] which addresses our attack and recommends to use PKCS#1 v2.1 (aka. RSA-OAEP) instead. However, PKCS#1 v1.5 is still contained in the standard, and mandatory for any standard-compliant implementation.


What would be the implication of disallowing RSA-1.5 for key transport in XML Encryption 1.1, thus encouraging a shift to RSA-OAEP?

Couldn't legacy implementations continue to be compliant with XML Encryption 1.0 with this update to XML Encryption 1.1?

regards, Frederick

Frederick Hirsch, Nokia
Chair XML Security WG
Received on Monday, 23 July 2012 21:11:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:18 UTC