[Openid-specs-ab] Encryption

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Fri Oct 28 15:54:37 UTC 2011


Here is the link to the paper:
http://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf

The authors recommend "One possibility to avoid our attack is to use a symmetric
cryptographic primitive that does not only provide confidentiality,
but also integrity. This can for instance be achieved
by replacing the CBC mode of operation with a mode that
provides message integrity. Adequate choices have for instance
been standardized in ISO/IEC 19772:2009. We consider
this solution as very recommendable for future versions
of the XML Encryption standard. Unfortunately, this may
bring deployment and backwards compatibility issues."

http://www.iso.org/iso/catalogue_detail?csnumber=46345

-Axel

-----Original Message-----
From: John Bradley [mailto:jbradley at mac.com] 
Sent: Freitag, 28. Oktober 2011 16:22
To: Nennker, Axel
Cc: Nat Sakimura; Michael Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Encryption

We don't encryption it, but we do support it.

I haven't seen the original paper only analysis of it.

Mike should be able to get it.

I don't think we should panic.   I have known about this for a week or so.

While the problem involves CBC it is not necessarily a CBC algorithm vulnerability in itself.

The problem is likely the xmlenc API error messages and having them reported back over SOAP.

As long as we are careful about not communicating too much in the error message and implementers protect against side channel timing attacks, JWE probably is OK as is with appropriate security considerations.

I would be surprised if the attack works agains AES-CBC + RSA.

It also probably is ineffective agains AES-CBC+keywrap.

Yes GWC is better that is why it was created.   

We need the paper before trying to fix things that may not need fixing.

John B.




On 2011-10-28, at 10:13 AM, Axel.Nennker at telekom.de wrote:

> Do we actually require encryption in the openid connect standards? I thought we refer to JWS and JWS and that's it?
> Axel
> 
> 
> 
> 
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of sakimura
> Sent: Freitag, 28. Oktober 2011 13:36
> To: Mike Jones; John Bradley; Anthony Nadalin; Openid specs ab
> Subject: [Openid-specs-ab] Encryption
> 
> So I was going over the recent XML Encryption vulnerability.
> http://www.informationweek.com/news/security/vulnerabilities/231901532
> 
> The flaw is that of CBC mode of operation combined with unauthenticated 
> encryption.
> It is a kind of padding oracle attack.
> 
> We have two choices here:
> 
> 1) Require authenticated encryption mode such as GCM
> 2) Require message authentication to be applied to the cipher text.
> 
> Ideally 1) should be taken as operational efficiency is much greater 
> than 2),
> but in reality we do not have support for GCM in many languages.
> 
> Thus, while RECOMMENDing 1), we should REQUIRE HMAC to be applied
> on the encrypted text (cipher text) in CBC mode.
> 
> Thus, we should make it REQUIRED to sig+enc+mac, instead of sig+enc,
> and REQUIRE the verifier to first verify the mac and if the mac is not 
> correct
> the process should abend returning mac error.
> 
> Also, although same public-private keypair can be used for encryption 
> and signature
> in case of RSA, we should probably use two separate keypair. That is 
> safer.
> Perhaps we would not REQUIRE it, but we should RECOMMEND it.
> 
> =nat
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list