1WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

How to Break XML Encryption – Automatically

Dennis Kupser, Christian Mainka, Jorg Schwenk, Juraj Somorovsky

Horst-Görtz Institute for IT-SecurityRuhr-University Bochum

Christian.Mainka@rub.deTwitter: @CheariX

2WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 2

Quick Introduction

3WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

XML-based Web Service

Envelope

getPrime

Body

Envelope

Body

11

thePrime

Client Server

3

4WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Motivation – XML Security

• Web Services: Method for machine-to-machine communication over networks

• Used in commerce, finance, government, military, …

• XML-based message format4

Broker

Bank

Insurance

Client

XML

XML

XML

5WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Motivation – XML Security

• SSL / TLS: transport-level security

• Messages secured only during transport!

5

Broker

Bank

Insurance

Client

6WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Motivation – XML Security

• Message level security

• Security applied directly on the messages

• No need for SSL / TLS

• Realized using XML Signature, XML Encryption

Broker

Bank

Insurance

Client

6

7WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

XML Security

• W3C Standard for securing XML messages

• XML Encryption: protects confidentiality

• XML Signature: protects authenticity and integrity

• Very flexible

7

<PaymentInfo>

<Name>John Smith</Name>

<CreditCard Limit='5,000’>

<Number>4019 ...5567</Number>

<Issuer>Example Bank</Issuer>

<Expiration>04/02</Expiration>

</CreditCard>

</PaymentInfo>

8WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 8

XML Encryption

Body

Envelope

Header

Security

EncryptedKey

EncryptionMethod

CipherData

Algorithm=”…#rsa-1_5”

EncryptedData

EncryptionMethod

CipherData

Algorithm=“…#aes128-cbc”

ReferenceList

DataReference URI=“#enc”

Id=“enc”

1

2

Asymmetric encryption / decryption

Symmetric encryption / decryption

Hybrid encryption scheme

9WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Attacks on XML Encryption

• Attacks on EncryptedData

– How to Break XML Encryption. Tibor Jager, Juraj Somorovsky. CCS 2011

• Attacks on EncryptedKey

– Bleichenbacher’s Attack Strikes Again: Breaking PKCS#1 v1.5 in XML Encryption. Tibor Jager, Sebastian Schinzel, Juraj Somorovsky. ESORICS 2012

9

Body

Envelope

Header

Security

EncryptedKey

EncryptedData

URI=“#enc”

Id=“enc”

10WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Attack Concept: Validity Oracle

• Attacker needs to send arbitrary ciphertexts!

10

XML Encryption ciphertext C = Enc(M)

Chosen ciphertext C1

valid/invalid

M = Dec(C)

Web ServiceChosen ciphertext C2

valid/invalid

Ciphertext C

…

(repeated several times)

12WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 12

Countermeasures?

13WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 13

Countermeasures – XML Signature?

Body Id=”body”

Envelope

Header

Security

Signature

Reference URI=”#body”

EncryptedKey

DataReference URI=“#enc”

EncryptedData Id=“enc”

CipherData

Attacker able to create valid signatures?

SignatureValue

14WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Countermeasures – XML Signature?

Body Id=”attacked”

Envelope

Header

Security

Signature

Reference URI=”#body”

EncryptedKey

DataReference URI=“#oracle”

EncryptedData Id=“oracle”

CipherData

Body Id=”body”

EncryptedData Id=“enc”

CipherData

XML Signature Wrapping

McIntosh and Austel. XML Signature Element Wrapping attacks, 2005

Signature validation

DecryptionBody Id=”body”

EncryptedData Id=“enc”

CipherData

14

15WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Countermeasures – XML Signature? XML Encryption Wrapping (XEW)

Body Id=”body”

Envelope

Header

Security

Signature

Reference URI=”#body”

EncryptedKey

DataReference URI=“#enc”

EncryptedData Id=“enc”

CipherData

EncryptedData Id=“oracle”

CipherData

EncryptedKey

DataReference URI=“#oracle”

Encryption Wrapping attack: WS-Security Policy

says, what must be encrypted…but it says not,

what must not be encrypted

Signature validation

Decryption

Business logic

Decryption and

15

16WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 16

WS-Attacker Implementation

17WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Detection Phase Avoid Phase Attack Phase

Automated Attack Workflow

IdentifySecurity

Elements

17

Encrypted

XML

18WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Detection Phase (Offline)

Body

Envelope

Header

Security

EncryptedKey

EncryptedData

URI=“#a”

Id=“a”

Signature URI=“#b”

Signature URI=“#c”

Timestamp Id=“c”

Id=“b”

18

19WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Detection Phase Avoid Phase Attack Phase

Automated Attack Workflow

Knowledge Pool

IdentifySecurity

Elements

SignedTimestamp?

Encrypted

XML

19

20WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Detection Phase (Offline)

Body

Envelope

Header

Security

EncryptedKey

EncryptedData

URI=“#a”

Id=“a”

Signature URI=“#b”

Signature URI=“#c”

Timestamp Id=“c”

Id=“b”

20

21WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Detection Phase Avoid Phase Attack Phase

Automated Attack Workflow

Knowledge Pool

IdentifySecurity

Elements

SignedTimestamp?

XSW

no

yes

21

Encrypted

XML

23WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY 23

Applying XSW - Complexity

24WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Detection Phase Avoid Phase Detection Phase

Automated Attack Workflow

Knowledge Pool

IdentifySecurity

Elements

SignedTimestamp?

XSW

SignedEncryptedElement

XSW

XEW

no no

yes yes

fail

fail

IdentifyOracle

yes

no

24

Encrypted

XML

25WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Web Service

Identify Oracle

• Map Server Responses to „valid“ or „invalid“

• Implementation dependent!

XML Encryption ciphertext C = Enc(M)Chosen ciphertext (IV’, C1)

<ok/>

Chosen ciphertext (IV’’,C1)

<failure/>

25

26WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Detection Phase Avoid Phase Attack Phase

Automated Attack Workflow

Knowledge Pool

IdentifySecurity

Elements

SignedTimestamp?

XSW

SignedEncryptedElement

XSW

XEW

IdentifyOracle

Apply Attackno no

yes yes

fail

fail

Decrypted

XML

yes

no

yes

fail

26

Encrypted

XML

30WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Results

System Asymmetric Attack Symmetric Attack Countermeasures applicable?

Apache Axis2 1.6.2

Apache CXF 2.7.10 yes

Axway Gateway 7.3.1 yes

IBM Datapower XI50 yes

Microsoft WCF yes

30

31WOOT’15 - How to Break XML Encryption – Automatically HORST GÖRTZ INSTITUT FOR IT-SECURITY

Conclusion

• XML – especially XML Security – is complex

• WS-Attacker can be used to test Web Service implementations automatically

– https://github.com/RUB-NDS/WS-Attacker

• Our approach is applicable to other scenarios

– SAML, JSON, …

• Preffer authenticated encryption (AES-GCM instead of AES-CBC)

31

Q&A?