How to Break XML Encryption – Automatically
Juraj Somorovsky (Ruhr University Bochum)
In recent years, XML Encryption became a target of several new attacks. These attacks belong to the family of adaptive chosen-ciphertext attacks, and allow an adversary to decrypt symmetric and asymmetric XML ciphertexts, without knowing the secret keys. In order toprotect XML Encryption implementations, the World Wide Web Consortium (W3C) published an updated version of the standard.
Unfortunately, most of the current XML Encryption implementations do not support the newest standard and offer different XML Security configurations to protect confidentiality of the exchanged messages. Resulting from the attack and specification complexity, evaluation of the security configuration correctness becomes tedious and error prone.
In this talk, we will first give an overview on Web Service specific attacks. Afterwards, we present attacks on XML Encryption and how to evaluate security of XML Encryption interfaces automatically. Our algorithm can detect a vulnerability and exploit it to retrieve a plaintext from an encrypted message. To assess practicability of our approach, we implemented an open source attack plugin for Web Service attacking tool called WS-Attacker. With the plugin, we discovered new security problems in four out of five analyzed Web Service implementations, including IBM Datapower or Apache CXF.
What is a WebService and XML Security
SOAP WebService are a standard that allows you to execute a function on the server and receive a response (remote procedure calls). This range from simple to very complex requests.
There are many ways to secure this communication. SSL/TLS can be used to secure the tunnel between the client and server (transport communication). The broker however (the server in this case) can see the data. To stops this from happening, you need to encrypt the data within the SOAP request using something like XML Security.
XML Security consists of 2 standards (XML Signature and XML Encryption). This can be used to protect to the entire document, or sections individually.
XML Signature Wrapping
One of the problems of XML Security is XML Signature wrapping. As the XML signature should protect against alteration to the document, by allowing validation of specific elements.
An attacker can however relocate the signed element, maintaining the valid signature. Then an attacker can add additional data to the request that are understood by the application layer. As the verification and application logic are separate, the verification will pass due to the presence of a valid signature. The application will then accept the attackers data as validated when it hasn’t been confirmed at the validation layer.
This problem was seen in 2011 in Amazon Web Services by bypassing signed SOAP requests. This resulted in the ability for an active attacker to alter the SOAP data and start instances without permission.
Further attacks against SAML were performed, where <10 out of 22 systems tested were vulnerable to signature wrapping attacks.
Attacks on XML encryption
In most cases XML Encryption uses a hybrid encryption scheme (Asymmetric and symmetric keys). Published attacks (2011/2012) exist for both portions of the encryption (adapted chosen-ciphertext attacks) using the server as an oracle.
XML is a text-based data format. Therefore it must be parsed to be understood (usually ASCII encoded). Certain ASCII characters are not parseable or can be excluded. This reduces the understood character set and makes the attack easier.
- Content Decryption
- XML parsing
- XML Evaluation
Be using this oracle and checking the error type returned, it’s possible to see if the failure occurs at the decryption of parsing phase.
This attack is made possible as an attacker can flip bits in the request. Cipher Block Chaining Mode has been discussed previously in several padding oracle attacks.
Performance (against Symmetric encryption): 14 queries / pain-text byte
How to analyze WebServices Automatically
WS-Attacker tool – https://github.com/RUB-NDS/WS-Attacker
Automated tool to validate attacks against WebServices, implementing XML Signature wrapping and sending requests to the oracle to validate if the system is vulnerable.
If the oracle can be identified, the attack is performed.
Examples of vulnerable systems discovered in testing:
- Apache Axis2
- Apache CXF
- Axway Gateway
- IBM DataPower
- Microsoft WCF
Countermeasures that were in place for Apache CXF were found to be incorrectly implemented, resulting it being vulnerable to attack.
XML is very complicated, so application of XML Encryption should be validated using tools like WS-Attacker to ensure that it’s not vulnerable.
This attack is also applies to other scenarios like SAML, JSON, Web Crypto
Prefer authentication encryption (AES-GCM instead of AES-CBC)