possible DoS attack

Hi, All!

I think I found a possible DoS attack  on the application that uses
XML Encryption and I would like to get your opinion on how
real is it.

Suppose the application processes encrypted requests (for example,
SAML requests) from end-users ("rich clients" like ICQ, AIM, etc.).
And the "bad guy" submits following XML document:
   

    <EncryptedData Id='ED' xmlns='http://www.w3.org/2001/04/xmlenc#'>
        <EncryptionMethod 
Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc'/>
            <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
                <ds:RetrievalMethod URI='#EK' 
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>               
           </ds:KeyInfo>
        <CipherData><CipherValue>DEADBEEF</CipherValue></CipherData>
    </EncryptedData>
    <EncryptedData Id='EK' xmlns='http://www.w3.org/2001/04/xmlenc#'>
        <EncryptionMethod 
Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc'/>
            <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
                <ds:RetrievalMethod URI='#ED' 
Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>
           </ds:KeyInfo>
        <CipherData><CipherValue>DEADBEEF</CipherValue></CipherData>
    </EncryptedData>


As you can see the <ds:RetrievalMethod /> from the first <EncryptedData 
/> points
to the second <EncryptedData /> and the the <ds:RetrievalMethod /> from 
the second
<EncryptedData /> points to the first <EncryptedData />.
If the application will try to decrypt such message and will do no 
special processing then it
will end up in an infinite loop. And "bad guy" will effectivly cause DoS.
This example is simple and probably it's pretty simple to have special 
check for this case.
However, the real attack can include XPath, XSLT and other transforms 
and this will
make check very complicated.  The other solution is to put a simple "max 
lookup depth" check
(do not do more than 10 retrievals, for example).

The similar attack is possible to incorrect XMLDsig implementations (if 
the implementation
executes second level <ds:RetrievalMethod />). But in XMLDSig case the 
standard itself
does not allow it. The XML Enc standard does not prevent this attack and 
I think it's worth
to put some kind of warning for implementors.


Aleksey Sanin.
XML Security Library
http://www.aleksey.com/xmlsec

Received on Thursday, 11 April 2002 12:44:48 UTC