- From: Magnus Nystrom <mnystrom@microsoft.com>
- Date: Tue, 24 Jul 2012 00:31:34 +0000
- To: "Frederick.Hirsch@nokia.com" <Frederick.Hirsch@nokia.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Personally, I do not find that necessary, Frederick. Firstly, PKCS #1 v1.5 is only required for transport of 3-DES keys. For AES keys, OAEP is already recommended. Secondly, I think our Security Considerations note properly captures the considerations that should be taken into account when using PKCS #1 v1.5. Thirdly (and given the previous two points), I think we need to stop making minor updates and conclude ... :) And ultimately, I'd like to move towards KEM due to its better security properties (than both OAEP and PKCS #1 v1.5), but I guess that's for later. -- Magnus > -----Original Message----- > From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com] > Sent: Monday, July 23, 2012 2:11 PM > To: public-xmlsec@w3.org > Cc: Frederick.Hirsch@nokia.com > Subject: Security issue in XML Encryption 1.1, Bleichenbacher revisited. > > >From the recently published paper, "Bleichenbacher's Attack Strikes Again: > Breaking PKCS#1 v1.5 in XML Encryption" > > http://www.nds.rub.de/media/nds/veroeffentlichungen/2012/07/11/XMLe > ncBleichenbacher.pdf > > [[ > Recently the XML Encryption standard was updated, in response to an attack > presented at CCS 2011. The attacks described in this paper work even against > the updated version of XML Encryption. Our work shows once more that > legacy cryptosystems have to be used with extreme care, and should be > avoided wherever possible, since they may lead to practical attacks. > > ... > > > XML Encryption allows the usage of block ciphers in the cipher-block chaining > (CBC) mode-of-operation. CBC exhibits a weakness [29] that allows an > adversary to make modifications to the encrypted plaintext, by XORing > arbitrary bit strings to the plaintext. We show that it is possible to use this > weakness as an alternative way to determine whether a PKCS#1 v1.5 > ciphertext is "valid" or not. > > Besides CBC mode, the updated version of the XML Encryption specification > allows to use the GCM mode of operation. This mode was introduced to > prevent the attacks from [10]. Interestingly, the CBC- attack we describe in > this paper allows to decrypt GCM ciphertexts, too - if the receiving Web > Service is able to decrypt CBC ciphertexts, which is mandatory for any > standard-compliant implementation. This is due to the fact that we use the > PKCS#1 v1.5 weakness in combination with the CBC weakness only to > decrypt the session key. After we have obtained this session key, we can > decrypt an arbitrary ciphertext, regardless of whether it is encrypted using > CBC, GCM, or any other mode-of-operation. > > ... > > The W3C XML Encryption working group added a remark to the updated > standard [5, Section 6.1.2] which addresses our attack and recommends to > use PKCS#1 v2.1 (aka. RSA-OAEP) instead. However, PKCS#1 v1.5 is still > contained in the standard, and mandatory for any standard-compliant > implementation. > ]] > > All: > > What would be the implication of disallowing RSA-1.5 for key transport in > XML Encryption 1.1, thus encouraging a shift to RSA-OAEP? > > Couldn't legacy implementations continue to be compliant with XML > Encryption 1.0 with this update to XML Encryption 1.1? > > regards, Frederick > > Frederick Hirsch, Nokia > Chair XML Security WG > > > >
Received on Tuesday, 24 July 2012 00:32:08 UTC