'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
Brad Hill
brad at isecpartners.com
Fri Oct 1 12:29:19 EDT 2010
Kevin W. Wall wrote:
> isn't the pre-shared key version of W3C's XML Encrypt also going to be vulnerable
> to a padding oracle attack.
Any implementation that returns distinguishable error conditions for invalid
padding is vulnerable, XML encryption no more or less so if used in such a
manner. But XML encryption in particular seems much less likely to be used
in this manner than other encryption code.
The primary use case you cite for PSK, an asynchronous message bus, is
significantly less likely to return oracular information to an attacker than a
synchronous service. And due to the rather unfavorable performance of
XML encryption, in practice it is rarely used for synchronous messages.
Confidentiality for web service calls is typically provided for at the transport
layer rather than the message layer. SAML tokens used in redirect-based
sign-on protocols are the only common use of XML encryption I'm aware
of where the recipient might provide a padding oracle, but these messages
are always signed as well.
Brad Hill
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list