.NET Framework Essentials
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption
Proceedings of the 11th USENIX Security Symposium
XML signature element wrapping attacks and countermeasures
Proceedings of the 2005 workshop on Secure web services
Attacking the IPsec Standards in Encryption-only Configurations
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment
SCN '08 Proceedings of the 6th international conference on Security and Cryptography for Networks
On the (in)security of IPsec in MAC-then-encrypt configurations
Proceedings of the 17th ACM conference on Computer and communications security
Practical padding oracle attacks
WOOT'10 Proceedings of the 4th USENIX conference on Offensive technologies
Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Padding oracle attacks on CBC-Mode encryption with secret and random IVs
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Error oracle attacks on CBC mode: is there a future for CBC mode encryption?
ISC'05 Proceedings of the 8th international conference on Information Security
A survey on security issues and solutions at different layers of Cloud computing
The Journal of Supercomputing
An efficient fragile web pages watermarking for integrity protection of XML documents
IWDW'12 Proceedings of the 11th international conference on Digital Forensics and Watermaking
Hi-index | 0.00 |
XML Encryption was standardized by W3C in 2002, and is implemented in XML frameworks of major commercial and open-source organizations like Apache, redhat, IBM, and Microsoft. It is employed in a large number of major web-based applications, ranging from business communications, e-commerce, and financial services over healthcare applications to governmental and military infrastructures. In this work we describe a practical attack on XML Encryption, which allows to decrypt a ciphertext by sending related ciphertexts to a Web Service and evaluating the server response. We show that an adversary can decrypt a ciphertext by performing only 14 requests per plaintext byte on average. This poses a serious and truly practical security threat on all currently used implementations of XML Encryption. In a sense the attack can be seen as a generalization of padding oracle attacks (Vaudenay, Eurocrypt 2002). It exploits a subtle correlation between the block cipher mode of operation, the character encoding of encrypted text, and the response behaviour of a Web Service if an XML message cannot be parsed correctly.