how to break xml encryption
play

How to Break XML Encryption Automatically Dennis Kupser, Christian - PowerPoint PPT Presentation

How to Break XML Encryption Automatically Dennis Kupser, Christian Mainka, Jrg Schwenk, Juraj Somorovsky Ruhr University Bochum @jurajsomorovsky 1 How to Break XML Encry rypt ption on Autom omati atical ally ly Juraj


  1. How to Break XML Encryption – Automatically Dennis Kupser, Christian Mainka, Jörg Schwenk, Juraj Somorovsky Ruhr University Bochum @jurajsomorovsky 1 How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 1

  2. About Me and Our Institute • Security Researcher at: – Chair for Network and Data Security • Prof. Dr. Jörg Schwenk • Web Services, Single Sign-On, (Applied) Crypto, SSL, crypto currencies • Provable security, attacks and defenses – Horst Görtz Institute for IT-Security • Further topics: embedded security, malware, crypto … – Ruhr University Bochum • Penetration tests, security analyses, workshops … How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 2 2

  3. Overview 1. What is a Web Service and XML Security 2. XML Signature Wrapping 3. Attacks on XML Encryption 4. Attacks on Symmetric Encryption Scheme 1. Attack Scenario 2. Plaintext Validity 3. Using Web Service for Plaintext Validation 4. Decrypting by Checking Plaintext Validity 5. Countermeasures and Problems 6. WS-Attacker How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 3 3

  4. What is a (SOAP) Web Service? Envelope Body Client getPrime Server Envelope Body thePrime 11 How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 4 4

  5. More complicated scenarios … XML XML Bank XML Client Broker Insurance How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 5 5

  6. Security? • SSL / TLS: Transport-Level Security Bank Client Broker Insurance • Messages are only secured during transport How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 6 6

  7. Motivation – XML Security • Message Level Security Bank Client Broker Insurance • Messages protected directly • XML Security How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 7 7

  8. XML Security • Methods for cryptographic algorithms in XML • XML Signature : authenticity and integrity • XML Encryption : confidentiality • Flexible <PaymentInfo> <Name>John Smith</Name> <CreditCard Limit= '5,000’> <Number>4019 ...5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo> 8 How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 8

  9. XML Security Areas • Financial services: – Electronic Banking Internet Communication (EBICS) • Healthcare: – Australian eHealth Technical Specification • Governmental services: – ID cards in Estonia, Germany, Hungary, … • System integration, firewalls How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 10 10

  10. Overview 1. What is a Web Service and XML Security 2. XML Signature Wrapping 3. Attacks on XML Encryption 4. Attacks on Symmetric Encryption Scheme 1. Attack Scenario 2. Plaintext Validity 3. Using Web Service for Plaintext Validation 4. Decrypting by Checking Plaintext Validity 5. Countermeasures and Problems 6. WS-Attacker How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 12 12

  11. XML Signature Envelope Header Security Signature SignedInfo Reference URI=”#body” DigestValue Reference URI=”#Timestamp” DigestValue SignatureValue Timestamp Id =”Timestamp” Body Id =”body” MonitorInstances How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 13

  12. XML Signature Wrapping / Rewriting McIntosh, Austel (2005) Envelope Bhargavan, Fournet , Gordon, O’Shea (2005) Header Security Signature SignedInfo Reference URI=”#body” SignValue Wrapper Body Id =”body” MonitorInstances InstanceId Id Body Id =”attack” Body Id =”body” CreateKeyPair MonitorInstances KeyName attackerKey InstanceId Id How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 14

  13. XML Signature Wrapping Why does the attack work? How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 15 15

  14. XML Signature Wrapping Envelope Header Security Server Application logic  Signature SignedInfo Verification logic  Reference URI=”#body” KeyInfo Wrapper Body Id =”body” MonitorInstances InstanceId Id Body Id =”attack” CreateKeyPair KeyName attackerKey How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 16

  15. XML Signature Wrapping • Attacks on Amazon EC2 / Eucalyptus clouds • Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, Luigi Lo Iacono: All Your Clouds Are Belong to Us – Security Analysis of Cloud Management Interfaces - CCSW 2011. soap User soap Cloud Controller How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 17 17

  16. Further Attacks: SAML Signature XXE Wrapping Vladislav Mladenov, Christian Mainka, Florian Feldmann, Julian Krautwald, Jörg Schwenk: Your Software at my Service , CCSW 2014 19 How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 19

  17. Overview 1. What is a Web Service and XML Security 2. XML Signature Wrapping 3. Attacks on XML Encryption 4. Attacks on Symmetric Encryption Scheme 1. Attack Scenario 2. Plaintext Validity 3. Using Web Service for Plaintext Validation 4. Decrypting by Checking Plaintext Validity 5. Countermeasures and Problems 6. WS-Attacker How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 20 20

  18. XML Encryption Hybrid encryption scheme Envelope Header Security EncryptedKey EncryptionMethod Algorithm=”…#rsa - 1_5” CipherData 1 Asymmetric encryption / decryption ReferenceList DataReference URI=“#enc” Body EncryptedData Id=“enc” EncryptionMethod Algorithm=“…#aes128 - cbc” CipherData 2 Symmetric encryption / decryption How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 22 22

  19. Attacks on XML Encryption • Attacks on EncryptedKey – Bleichenbacher’s Attack Strikes Again: Breaking PKCS#1 v1.5 in XML Encryption. Tibor Jager, Sebastian Schinzel, Juraj Somorovsky. ESORICS 2012 Envelope Header Security • Attacks on EncryptedData EncryptedKey URI=“#enc” – How to Break XML Encryption. Tibor Jager, Juraj Somorovsky. CCS 2011 Body EncryptedData Id=“enc” Adaptive chosen-ciphertext attacks How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 23 23

  20. Adaptive chosen-ciphertext attack XML Encryption ciphertext C = Enc(M) XML Encryption ciphertext C = Enc(M) Chosen ciphertext C 1 valid/invalid Chosen ciphertext C 2 Web Service Client valid/invalid … M = Dec(C) (repeated several times) CCS 2011 ESORICS 2012 Encryption symmetric asymmetric Server-Queries 14 / plaintext byte 400k to 82M / key How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 24 24

  21. Overview 1. What is a Web Service and XML Security 2. XML Signature Wrapping 3. Attacks on XML Encryption 4. Attacks on Symmetric Encryption Scheme 1. Attack Scenario 2. Plaintext Validity 3. Using Web Service for Plaintext Validation 4. Decrypting by Checking Plaintext Validity 5. Countermeasures and Problems 6. WS-Attacker How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 25 25

  22. Attack Scenario XML Encryption ciphertext C = Enc(M) XML Encryption ciphertext C = Enc(M) Chosen ciphertext C 1 valid/invalid plaintext Chosen ciphertext C 2 Web Service Client valid/invalid plaintext … M = Dec(C) (repeated several times) • What is a “valid” plaintext? • How to use Web Service as “plaintext validity oracle”? • How to use this oracle to decrypt C? How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 26 26

  23. Overview 1. What is a Web Service and XML Security 2. XML Signature Wrapping 3. Attacks on XML Encryption 4. Attacks on Symmetric Encryption Scheme 1. Attack Scenario 2. Plaintext Validity 3. Using Web Service for Plaintext Validation 4. Decrypting by Checking Plaintext Validity 5. Countermeasures and Problems 6. WS-Attacker How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 27 27

  24. Plaintext Validity • XML is a text-based data format • XML parsing • Characters (usually) encoded in ASCII How to Break XML Encry rypt ption on – Autom omati atical ally ly Juraj Somorovsky 28 28

Recommend


More recommend