XML encryption has long been one of the most relied-upon protection techniques employed by web services for data both stored and in transit. But according to German researchers, the XML framework has a flaw that can be exploited through a fairly simple attack.
Juraj Somorovsky and Tibor Jager of Ruhr University Bochum have called on XML framework providers to reevaluate and develop a new standard of data encryption, InformationWeek and others reported this week.
According to the researchers, who presented their findings at the ACM Conference on Computer and Communications Security in Chicago last week, the XML encryption standard is vulnerable to an attack against its cipher blocking chain mode. The attack can affect any message encrypted with algorithms supported by the XML standard.
"We were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages," the researchers said in a statement, according to InformationWeek.
Somorovsky added that there is no simple patch to the vulnerability, eWeek reported, necessitating the development of a new standard. The current XML encryption standard has been in place since 2002 and is widely used by major organizations, including IBM, Microsoft, Red Hat and others.
Amazon.com, which said it mended the problem on its end, according to eWeek, painted a picture of the gravity of the vulnerability.
"The research showed that errors in [Simple Object Access Protocol] parsing may have resulted in specially crafted SOAP requests with duplicate message elements and/or missing cryptographic signatures being processed," Amazon stated. "If this were to occur, an attacker who had access to an unencrypted SOAP message could potentially take actions as another valid user and perform invalid EC2 actions."
This isn't the only instance in which a data security standard has been challenged in recent months. The hack to Dutch SSL certification provider DigiNotar caused panic throughout the IT industry, as it was unclear how much the company's certification could be trusted. The issue was so severe that it eventually forced DigiNotar to file for bankruptcy in September.
Though this latest revelation will not likely lead any major XML framework providers to close their doors, it could have a significant impact on the data security industry, as XML encryption is one of the most widely used, likely because it was believed to be one of the most secure. How the industry will respond is still unclear. Though it is evident that work is needed, the challenge of developing a completely new standard could take time.
Security News from SimplySecurity.com by Trend Micro