Standards are supposed to guarantee security, especially in the WWW. The World Wide Web Consortium (W3C) is the main force behind standards like HTML, XML, and XML Encryption. But implementing a W3C standard does not mean that a system is secure. Researchers from the chair of network and data security have found a serious attack against XML Encryption. “Everything is insecure”, is the uncomfortable message from Bochum.
Standard for large integration projects
XML stands for “eXtensible Markup Language”, and is the industry standard for platform-independent data exchange. Companies like IBM, Microsoft and Redhat Linux use XML standards for integrating Webservice projects for large customers. XML Encryption was designed to protect the confidentiality of the exchanged data. Reason enough to have a closer look at its security.
Weak chaining of ciphertext blocks
Juraj Somorovsky and Tibor Jager exploited a weakness in the CBC mode for the chaining of different ciphertext blocks. “We were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages.” The attack was tested against a popular open source implementation of XML Encrytion, and against the implementations of companies that responded to the responsible disclosure – in all cases the result was the same: the attack works, XML Encryption is not secure. Details of the attack are presented at this year’s ACM Conference on Computer and Communications Security (http://www.sigsac.org/ccs/CCS2011/techprogram.shtml).
No simple solution available
„There is no simple patch for this problem”, states Somorovsky. “We therefore propose to change the standard as soon as possible.” The researchers informed all possibly affected companies through the mailing list of W3C, following a clear responsible disclosure process. With some companies there were intensive discussions on workarounds.
Further informationProf. Dr. Jörg Schwenk, Faculty of Electrical Engineering and Information Sciences at the RUB, Chair for Network and Data Security, Tel. +49 234 32 26692
Dr. Josef König | idw
Bursting the clouds for better communication
18.10.2018 | Université de Genève
Research on light-matter interaction could improve electronic and optoelectronic devices
11.10.2018 | Rensselaer Polytechnic Institute
Scientists at the Max Planck Institute for Polymer Research (MPI-P) in Mainz (Germany) together with scientists from Dresden, Leipzig, Sofia (Bulgaria) and Madrid (Spain) have now developed and characterized a novel, metal-organic material which displays electrical properties mimicking those of highly crystalline silicon. The material which can easily be fabricated at room temperature could serve as a replacement for expensive conventional inorganic materials used in optoelectronics.
Silicon, a so called semiconductor, is currently widely employed for the development of components such as solar cells, LEDs or computer chips. High purity...
Augsburg chemists present a new technology for compressing, storing and transporting highly volatile gases in porous frameworks/New prospects for gas-powered vehicles
Storage of highly volatile gases has always been a major technological challenge, not least for use in the automotive sector, for, for example, methane or...
When we put water in a freezer, water molecules crystallize and form ice. This change from one phase of matter to another is called a phase transition. While this transition, and countless others that occur in nature, typically takes place at the same fixed conditions, such as the freezing point, one can ask how it can be influenced in a controlled way.
We are all familiar with such control of the freezing transition, as it is an essential ingredient in the art of making a sorbet or a slushy. To make a cold...
Thin organic layers provide machines and equipment with new functions. They enable, for example, tiny energy recuperators. In future, these will be installed...
Das Zusammenspiel aus Struktur und Dynamik bestimmt die Funktion von Proteinen, den molekularen Werkzeugen der Zelle. Durch Fortschritte in der...
17.10.2018 | Event News
16.10.2018 | Event News
02.10.2018 | Event News
18.10.2018 | Life Sciences
18.10.2018 | Earth Sciences
18.10.2018 | Life Sciences