Researchers in Germany have developed an attack that enables them to decrypt supposedly private messages sent via XML. Their attack affects messages encrypted with any of the algorithms supported by the XML encryption standard, including DES and AES.
The research, done by a group at Ruhr University Bochum, implements an attack against a vulnerability in the cipher-block chaining mode used by some encryption algorithms. XML is a standard format for exchanging messages among Web applications, and it is implemented widely by companies all across the Web.
“We were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages,” the researchers said in a statement. They presented their research at the ACM Conference on Computers and Communications Security last week.
“There is no simple patch for this problem”, Juraj Somorovsky, one of the researchers who developed the attack, said in a statement. “We therefore propose to change the standard as soon as possible.”
The CBC mode in encryption protocols has been the subject of other significant attacks in recent years. The most significant one was the padding oracle attack developed by Thai Duong and Juliano Rizzo last year, which enabled them to decrypt encrypted cookies for Web sites and hijack users’ secure sessions. That attack affected the security of Microsoft’s ASP.NET framework, and forced an emergency patch from Microsoft.
CBC mode is an older mode of encryption and it uses a method that means that every ciphertext block is dependent upon all of the plaintext blocks that have been encrypted previously.