Re: XML tag encryption?

["Steven M. Bellovin" <smb () research att com>]

In message <5.1.0.14.2.20020603212739.02a42a30@192.168.2.253>, Rama Kant writes
:
> The article you mention is more like FUD, e.g. they mention the possible 
> loss of  credit card information, being easily recognizable through 
> XML.  An example of such would be:
>
> <amex cc no>3744 342298 98000</amex cc no>
>
> Now which application developer would be so much out of his/her mind to 
> embed such XML codes?  X in XML stands for "eXtensible"  which means the 
> client/server application can come up with its own markup tags to describe 
> any coded information.  A security conscious application would rather use 
> tags that may describe some kind of encryption key/certificate or other 
> encoding that is particular to that application around such sensitive 
> information:
>
> <adILjeei>hIwCF1yG8b5ELkEBA/4tgnrpnSVFSblGnVwt18+A86+T</adILjeei>
>
> Therefore, I really missed the point of the article besides it being a FUD 
> to promote somebody's product.
Apart from the fact that most developers will pick such tags -- and the 
fact that an enemy could launch a known plaintext attack to figure out 
what fields are what, in your specific example I should point out that 
credit card numbers are self-checking and thus easily recognizable.

                --Steve Bellovin, http://www.research.att.com/~smb (me)
                http://www.wilyhacker.com ("Firewalls" book)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards