Update to XML Encryption 1.1 editors draft

I have updated the XML Encryption 1.1 editors draft with a new security consideration section [1]

[[
6.1.3 Backwards Compatibility Attacks

Use of state-of-the-art and secure encryption algorithms such as RSA-OAEP and AES-GCM can become insecure when the adversary can force the server to process eavesdropped ciphertext with legacy algorithms such as RSA-PKCS#1 v1.5 or AES-CBC [XMLENC-BACKWARDS-COMP<http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.src.html#bib-XMLENC-BACKWARDS-COMP>]:

  1.  The attacker can break the security of an AES-GCM ciphertext if he is able to force the server to process the ciphertext with AES-CBC and the same symmetric key.
  2.  The attacker can decrypt an RSA-OAEP ciphertext if he is able to force the server to process the ciphertext with RSA-PKCS#1 v1.5 and the same asymmetric key.
  3.  The attacker can forge valid server signatures if the server decrypts RSA-PKCS#1 v1.5 ciphertexts and the signatures are computed with the same asymmetric key pair.

Accordingly, we recommend the following to implementers:

  1.  Restrict algorithm usage to algorithms known to be secure in the face of chosen-ciphertext attacks (RSA-OAEP, AES-GCM). In that case, documents containing RSA-PKCS#1 v1.5 and AES-CBC ciphertexts must be rejected without decryption. Allowing use of RSA-PKCS#1 v1.5 and AES-CBC is dangerous.
  2.  It is a bad cryptographic practice to apply the same cryptographic keys for different cryptographic tasks and algorithms. We recommend enforcing use of different keys for public key encryption and signature processing (ciphertext decryption and signature creation).

]]

This is based on the proposed text from Juraj and Tibor, attached.

I am aware of a comment from Magnus which I will share to the list after this message.

regards, Frederick

Frederick Hirsch
Nokia

[1] http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core-11/Overview.src.html#sec-backwards-compatibility-attacks