25-08-2017, 09:32 PM
How to Break XML Encryption
HowToBreakXMLenc.pdf (Size: 206.81 KB / Downloads: 23)
INTRODUCTION
In this paper, we present an attack technique that enables
an adversary to decrypt arbitrary data that have been
encrypted according to the XML Encryption specification.
Based on a cryptographic weakness of the CBC mode, we
are able to perform a chosen-ciphertext attack which recovers
the entire plaintext from a given ciphertext. The
only prerequisite for this attack consists in availability of
an “oracle” telling us whether a given ciphertext contains a
“correctly formed” plaintext. “Correctly formed”means here
that the plaintext contains a valid encoding (e.g. in UTF-
8 or ASCII) of a message. In practice, this oracle may be
provided for instance by a Web Service that returns suitable
error messages, or that provides some other side-channel allowing
us to distinguish correct from invalid ciphertexts, like
a different timing of data processing, for instance.
PRELIMINARIES
Throughout the paper we write {0, 1}` to denote the set
of all bit strings of length `. For a, b 2 {0, 1}`, we write |a| to
denote the length of a (i.e., |a| = `), ab to denote the bitwise
XOR of a and b, and a|b to denote concatenation of a
and b. We write {0, 1} shorthand for {0, 1} = S1
i=0{0, 1}i.
Block Ciphers
The XML Encryption standard specifies AES and Triple-
DES (3DES) as block ciphers. Since our attack does not exploit
specific properties of these algorithms, but works with
any cipher in a similar way, we will consider an abstract
block cipher in the following.
To this end, we define a block cipher as a pair of algorithms
(Enc,Dec). The encryption algorithm c = Enc(k,m) takes as
input a key k 2 {0, 1}` and an -byte plaintext m 2 {0, 1}n,
where n = 8 · ,1 and returns a ciphertext c 2 {0, 1}n. The
decryption algorithm m = Dec(k, c) takes a key k and a
ciphertext c, and returns m 2 {0, 1}n. For instance, if AES
is used then we have n = 128 and thus = 16.
Padding Scheme
Suppose we want to encrypt an XML message m 2 {0, 1}
of arbitrary bit-length |m|. Since XML data is represented
by UTF-8 characters, we may always assume that |m| is an
integer multiple of 8. However, |m| does not need necessarily
be an integer multiple of the block size n of the block. Thus
a padding algorithm with inversion algorithm −1 must
be applied to the message, to obtain a padded message m0 =
(m) whose bit-length |m0| is an integer multiple of n.
The XML Encryption standard specifies the usage of the
following padding scheme :
A Toy Example
In this section we describe a simple attack on ciphertexts
encrypted in CBC mode, which allows to recover the plaintext
message, if a certain oracle (to be described below) is
given. The actual attack on XML Encryption from Section 4
is based on the same idea, but in addition handles some
technical obstacles that arise when the theoretical concept
is adopted to the “real world”.