XML vulnerability leads to calls for standards change

German scientists say weakness in cipher block chaining mode for XML encryption means secured communications between Web services can now be decrypted, and call for change in encryption standard.
Written by Kevin Kwang, Contributor

Scientists from the Ruhr University of Bochum (RUB) in Germany have devised an attack that decrypts data secured with XML encryption, a standard that allows for secured communications between Web services. As there is no fix to the problem currently, they are calling for the World Wide Web Consortium (W3C) to change the standard.

The German researchers, Juraj Somorovsky and Tibor Jager, from RUB noted in a recent press release that XML encryption is used for securing communications between Web services by many companies, including IBM, Red Hat and Microsoft. The discovered vulnerability in the cipher block chaining mode (CBC) means that data secured with the DES (Data Encryption Standard) or the AES (Advanced Encryption Standard) can now be decrypted, leading to possible leak of sensitive corporate information, they pointed out.

Both scientists plan to present their findings in more detail at the ACM Conference on Computer and Communications Security later this year.

Somorovsky also called on the W3C, which instituted the XML encryption standard, to replace it. "There is no simple patch for this problem. We therefore propose to change the standard as soon as possible," he said.

The scientists noted that they had informed all possible affected companies through W3C's mailing list, following a "clear, responsible disclosure process".

In a separate report by tech Web site ComputerWorld on Saturday, Microsoft responded to the security threat by acknowledging the inherent weakness in XML encryption. A spokesperson said: "Microsoft is aware of research concerning an industry-wide issue affecting certain implementations of the XML encryption standard. We continue to evaluate our products to determine which applications, if any, use the implementation approach in question."

As for workarounds, Redmond did not have a recommendation to make yet. "We will provide guidance concerning Microsoft's XML implementation to third-party developers as appropriate," the spokesperson added in the report.

Editorial standards