Widely used encryption standard is insecure, say experts

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/s/article/9221122/Widely_used_encryption_standard_is_insecure_say_experts

By Lucian Constantin
IDG News Service
October 22, 2011

A weakness in XML Encryption can be exploited to decrypt sensitive 
information, researchers say.

XML Encryption is used for securing communications between Web services 
by many companies, including IBM, Microsoft and Red Hat. Researchers 
Juraj Somorovsky and Tibor Jager from the Ruhr University of Bochum 
(RUB) in Germany, devised an attack that decrypts data secured with the 
DES (Data Encryption Standard) or the AES (Advanced Encryption Standard) 
in CBC (cipher block chaining) mode. They plan to present their findings 
in more detail at the ACM Conference on Computer and Communications 
Security later this year.

According to Jrg Schwenk who teaches of Electrical Engineering and 
Information Technology at RUB, all data encryption algorithms 
recommended in the XML Encryption standard are affected by this attack, 
which relies on sending modified ciphertexts to the server and analyzing 
the errors for clues.

The same technique was by used security researchers Juliano Rizzo and 
Thai Duong in their ASP.NET Framework padding oracle attack, which 
earned them this year's Pwnie award for best server-side bug. More 
recently, the researchers demonstrated a separate attack against SSL/TLS 
(Secure Sockets Layer/Transfer Layer Security) implementations that use 
CBC mode, much like this one.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn