German researchers break XML encryption, leaving web services exposed

Researchers from Germany have successfully broken XML encryption
Researchers from Germany have successfully broken XML encryption

XML (eXtensible Markup Language) is the industry standard for platform-independent data exchange. Companies like IBM, Microsoft and Redhat Linux use XML standards for integrating web service projects for large customers. XML encryption is designed to protect the confidentiality of the exchanged data.

RUB researchers Juraj Somorovsky and Tibor Jager exploited a weakness in the cipher block chaining (CBC) mode for the chaining of different ciphertext blocks.

“We were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages”, the researchers said. The attack was tested against a popular open source implementation of XML encryption, and against the implementations of companies that responded to the disclosure, the researchers explained. In all cases the attack worked; “XML encryption is not secure”, they proclaimed.

“There is no simple patch for this problem. We therefore propose to change the standard as soon as possible”, the German researchers said. The World Wide Web Consortium sets the XML encryption standard, they noted.

Details of the attack were presented at the 2011 ACM Conference on Computer and Communications Security held in Chicago. Also at the conference, researchers from the same university demonstrated “massive security flaws” in Amazon Web Services (AWS) by using signature wrapping and cross site scripting attack methods.

“Using different kinds of XML signature wrapping attacks, we succeeded in completely taking over the administrative rights of cloud customers”, said Somorovsky. “This allowed us to create new instances in the victim’s cloud, add or delete images.”

In addition, the researchers found gaps in the AWS interface and in the Amazon shop, which were vulnerable to cross-site scripting attacks. “We had free access to all customer data, including authentication data, tokens, and even plain text passwords”, said RUB researcher Mario Heiderich. He noted that the common login is a complex potential danger: “It's a chain reaction. A security gap in the complex Amazon shop always also directly causes a gap in the Amazon cloud.”

Jörg Schwenk, chair for network and data security at RUB, said that based on the research results, Amazon confirmed the security gaps and “closed them immediately.”

What’s Hot on Infosecurity Magazine?