Firewall Wizards mailing list archives
Re: XML tag encryption?
From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 04 Jun 2002 10:24:26 -0400
In message <5.1.0.14.2.20020603212739.02a42a30@192.168.2.253>, Rama Kant writes :
The article you mention is more like FUD, e.g. they mention the possible loss of credit card information, being easily recognizable through XML. An example of such would be: <amex cc no>3744 342298 98000</amex cc no> Now which application developer would be so much out of his/her mind to embed such XML codes? X in XML stands for "eXtensible" which means the client/server application can come up with its own markup tags to describe any coded information. A security conscious application would rather use tags that may describe some kind of encryption key/certificate or other encoding that is particular to that application around such sensitive information: <adILjeei>hIwCF1yG8b5ELkEBA/4tgnrpnSVFSblGnVwt18+A86+T</adILjeei> Therefore, I really missed the point of the article besides it being a FUD to promote somebody's product.
Apart from the fact that most developers will pick such tags -- and the fact that an enemy could launch a known plaintext attack to figure out what fields are what, in your specific example I should point out that credit card numbers are self-checking and thus easily recognizable. --Steve Bellovin, http://www.research.att.com/~smb (me) http://www.wilyhacker.com ("Firewalls" book) _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- XML tag encryption? Roger Marquis (Jun 01)
- Re: XML tag encryption? Darren Reed (Jun 05)
- <Possible follow-ups>
- RE: XML tag encryption? Scott, Richard (Jun 04)
- Re: XML tag encryption? Rama Kant (Jun 04)
- Re: XML tag encryption? Marcus J. Ranum (Jun 05)
- Message not available
- Message not available
- Message not available
- Re: XML tag encryption? Rama Kant (Jun 05)
- Re: XML tag encryption? Eric Rescorla (Jun 07)