Last Wednesday, two cryptographers at the ACM Conference on Computer and Communications Security demonstrated a successful attack against XML Encryption. XML Encryption is a W3C Standard, which means that for the most part it ought to be well-tested, secure and fairly unbreakable. The W3C name carries no small amount of weight and the fact that XML Encryption is a standard that they endorse means that many companies have implemented it and are using it currently.
XML Encryption is a standard that allows an XML message to contain one or more
elements that can only be read by a trusted party. It is different than Transport Layer Security in that only part of the message is encrypted, not all of the message. The attack that the two researchers, Juraj Somorovsky and Tibor Jager, unveiled involves manipulating the contents of a known cyphertext, passing them to the server, and analyzing the resulting error message enough times to be able to decode the encrypted data. The attack was tested against a number of XML Encryption implementations.
This attack ought to make companies that use XML Encryption as part of their enterprise solution rethink their security methods. It doesn’t seem as though this issue will be “fixed” within the standard any time soon, so companies should be urged to switch to another encryption method.
The press release can be found here.