[145950] in cryptography@c2.net mail archive
RE: 'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
daemon@ATHENA.MIT.EDU (Brad Hill)
Fri Oct 1 18:34:28 2010
From: Brad Hill <brad@isecpartners.com>
To: "Kevin W. Wall" <kevin.w.wall@gmail.com>
CC: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Date: Fri, 1 Oct 2010 09:29:19 -0700
Kevin W. Wall wrote:
> isn't the pre-shared key version of W3C's XML Encrypt also going to be vu=
lnerable=20
> to a padding oracle attack.
Any implementation that returns distinguishable error conditions for invali=
d=20
padding is vulnerable, XML encryption no more or less so if used in such a=
=20
manner. But XML encryption in particular seems much less likely to be used=
=20
in this manner than other encryption code.
The primary use case you cite for PSK, an asynchronous message bus, is=20
significantly less likely to return oracular information to an attacker tha=
n a
synchronous service. And due to the rather unfavorable performance of
XML encryption, in practice it is rarely used for synchronous messages. =20
Confidentiality for web service calls is typically provided for at the tran=
sport
layer rather than the message layer. SAML tokens used in redirect-based
sign-on protocols are the only common use of XML encryption I'm aware=20
of where the recipient might provide a padding oracle, but these messages
are always signed as well.
Brad Hill
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
