'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps

Brad Hill brad at isecpartners.com
Fri Oct 1 12:29:19 EDT 2010

Kevin W. Wall wrote:
> isn't the pre-shared key version of W3C's XML Encrypt also going to be vulnerable 
> to a padding oracle attack.

Any implementation that returns distinguishable error conditions for invalid 
padding is vulnerable, XML encryption no more or less so if used in such a 
manner.  But XML encryption in particular seems much less likely to be used 
in this manner than other encryption code.

The primary use case you cite for PSK, an asynchronous message bus, is 
significantly less likely to return oracular information to an attacker than a
synchronous service.  And due to the rather unfavorable performance of
XML encryption, in practice it is rarely used for synchronous messages.  
Confidentiality for web service calls is typically provided for at the transport
layer rather than the message layer.  SAML tokens used in redirect-based
sign-on protocols are the only common use of XML encryption I'm aware 
of where the recipient might provide a padding oracle, but these messages
are always signed as well.

Brad Hill

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list