Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
1WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
How to Break XML Encryption – Automatically
Dennis Kupser, Christian Mainka, Jorg Schwenk, Juraj Somorovsky
Horst-Görtz Institute for IT-SecurityRuhr-University Bochum
[email protected]: @CheariX
2WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 2
Quick Introduction
3WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
XML-based Web Service
Envelope
getPrime
Body
Envelope
Body
11
thePrime
Client Server
3
4WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Motivation – XML Security
• Web Services: Method for machine-to-machine communication over networks
• Used in commerce, finance, government, military, …
• XML-based message format4
Broker
Bank
Insurance
Client
XML
XML
XML
5WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Motivation – XML Security
• SSL / TLS: transport-level security
• Messages secured only during transport!
5
Broker
Bank
Insurance
Client
6WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Motivation – XML Security
• Message level security
• Security applied directly on the messages
• No need for SSL / TLS
• Realized using XML Signature, XML Encryption
Broker
Bank
Insurance
Client
6
7WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
XML Security
• W3C Standard for securing XML messages
• XML Encryption: protects confidentiality
• XML Signature: protects authenticity and integrity
• Very flexible
7
<PaymentInfo>
<Name>John Smith</Name>
<CreditCard Limit='5,000’>
<Number>4019 ...5567</Number>
<Issuer>Example Bank</Issuer>
<Expiration>04/02</Expiration>
</CreditCard>
</PaymentInfo>
8WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 8
XML Encryption
Body
Envelope
Header
Security
EncryptedKey
EncryptionMethod
CipherData
Algorithm=”…#rsa-1_5”
EncryptedData
EncryptionMethod
CipherData
Algorithm=“…#aes128-cbc”
ReferenceList
DataReference URI=“#enc”
Id=“enc”
1
2
Asymmetric encryption / decryption
Symmetric encryption / decryption
Hybrid encryption scheme
9WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Attacks on XML Encryption
• Attacks on EncryptedData
– How to Break XML Encryption. Tibor Jager, Juraj Somorovsky. CCS 2011
• Attacks on EncryptedKey
– Bleichenbacher’s Attack Strikes Again: Breaking PKCS#1 v1.5 in XML Encryption. Tibor Jager, Sebastian Schinzel, Juraj Somorovsky. ESORICS 2012
9
Body
Envelope
Header
Security
EncryptedKey
EncryptedData
URI=“#enc”
Id=“enc”
10WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Attack Concept: Validity Oracle
• Attacker needs to send arbitrary ciphertexts!
10
XML Encryption ciphertext C = Enc(M)
Chosen ciphertext C1
valid/invalid
M = Dec(C)
Web ServiceChosen ciphertext C2
valid/invalid
Ciphertext C
…
(repeated several times)
12WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 12
Countermeasures?
13WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 13
Countermeasures – XML Signature?
Body Id=”body”
Envelope
Header
Security
Signature
Reference URI=”#body”
EncryptedKey
DataReference URI=“#enc”
EncryptedData Id=“enc”
CipherData
Attacker able to create valid signatures?
SignatureValue
14WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Countermeasures – XML Signature?
Body Id=”attacked”
Envelope
Header
Security
Signature
Reference URI=”#body”
EncryptedKey
DataReference URI=“#oracle”
EncryptedData Id=“oracle”
CipherData
Body Id=”body”
EncryptedData Id=“enc”
CipherData
XML Signature Wrapping
McIntosh and Austel. XML Signature Element Wrapping attacks, 2005
Signature validation
DecryptionBody Id=”body”
EncryptedData Id=“enc”
CipherData
14
15WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Countermeasures – XML Signature? XML Encryption Wrapping (XEW)
Body Id=”body”
Envelope
Header
Security
Signature
Reference URI=”#body”
EncryptedKey
DataReference URI=“#enc”
EncryptedData Id=“enc”
CipherData
EncryptedData Id=“oracle”
CipherData
EncryptedKey
DataReference URI=“#oracle”
Encryption Wrapping attack: WS-Security Policy
says, what must be encrypted…but it says not,
what must not be encrypted
Signature validation
Decryption
Business logic
Decryption and
15
16WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 16
WS-Attacker Implementation
17WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Detection Phase Avoid Phase Attack Phase
Automated Attack Workflow
IdentifySecurity
Elements
17
Encrypted
XML
18WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Detection Phase (Offline)
Body
Envelope
Header
Security
EncryptedKey
EncryptedData
URI=“#a”
Id=“a”
Signature URI=“#b”
Signature URI=“#c”
Timestamp Id=“c”
Id=“b”
18
19WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Detection Phase Avoid Phase Attack Phase
Automated Attack Workflow
Knowledge Pool
IdentifySecurity
Elements
SignedTimestamp?
Encrypted
XML
19
20WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Detection Phase (Offline)
Body
Envelope
Header
Security
EncryptedKey
EncryptedData
URI=“#a”
Id=“a”
Signature URI=“#b”
Signature URI=“#c”
Timestamp Id=“c”
Id=“b”
20
21WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Detection Phase Avoid Phase Attack Phase
Automated Attack Workflow
Knowledge Pool
IdentifySecurity
Elements
SignedTimestamp?
XSW
no
yes
21
Encrypted
XML
23WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 23
Applying XSW - Complexity
24WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Detection Phase Avoid Phase Detection Phase
Automated Attack Workflow
Knowledge Pool
IdentifySecurity
Elements
SignedTimestamp?
XSW
SignedEncryptedElement
XSW
XEW
no no
yes yes
fail
fail
IdentifyOracle
yes
no
24
Encrypted
XML
25WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Web Service
Identify Oracle
• Map Server Responses to „valid“ or „invalid“
• Implementation dependent!
XML Encryption ciphertext C = Enc(M)Chosen ciphertext (IV’, C1)
<ok/>
Chosen ciphertext (IV’’,C1)
<failure/>
25
26WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Detection Phase Avoid Phase Attack Phase
Automated Attack Workflow
Knowledge Pool
IdentifySecurity
Elements
SignedTimestamp?
XSW
SignedEncryptedElement
XSW
XEW
IdentifyOracle
Apply Attackno no
yes yes
fail
fail
Decrypted
XML
yes
no
yes
fail
26
Encrypted
XML
30WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Results
System Asymmetric Attack Symmetric Attack Countermeasures applicable?
Apache Axis2 1.6.2
Apache CXF 2.7.10 yes
Axway Gateway 7.3.1 yes
IBM Datapower XI50 yes
Microsoft WCF yes
30
31WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY
Conclusion
• XML – especially XML Security – is complex
• WS-Attacker can be used to test Web Service implementations automatically
– https://github.com/RUB-NDS/WS-Attacker
• Our approach is applicable to other scenarios
– SAML, JSON, …
• Preffer authenticated encryption (AES-GCM instead of AES-CBC)
31
Q&A?