XML signature HMAC truncation authentication bypass

Leandro Meiners lmeiners at gmail.com
Fri Jul 17 14:10:02 EDT 2009

"XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation
for providing integrity, message authentication, and/or signer
authentication services for data. XMLDsig is commonly used by web
services such as SOAP. The XMLDsig recommendation includes support for
HMAC truncation, as specified in RFC2104. However, the XMLDsig
specification does not follow the RFC2104 recommendation to not allow
truncation to less than half of the length of the hash output or less
than 80 bits. When HMAC truncation is under the control of an attacker
this can result in an effective authentication bypass. For example, by
specifying an HMACOutputLength of 1, only one bit of the signature is
verified. This can allow an attacker to forge an XML signature that will
be accepted as valid."
- http://www.kb.cert.org/vuls/id/466161

More information at:
HMAC truncation in XML Signature: When Alice didn't look.
- http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html

Leandro Federico Meiners

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list