Recursive Cryptography

From WS-Attacks
(Redirected from Oversized Cryptography)
Jump to navigation Jump to search

Attack description

Web services offer a great amount of flexibility when it comes to using security features like cryptography and signature algorithms; i.e. different parts of a SOAP message can be signed or encrypted with different keys. This flexibility can be used to mount Recursive Cryptography attacks. These attacks aim at exhausting the system resources of the attacked web service. This attack is also known as Oversized Cryptography aka Cryptography DOS aka XML Complexity Attack in Soap Header.

Attack subtypes

Cryptography Denial Of Service (DOS) attacks can be split in two different but similar attacks:

  1. Chained Cryptographic Keys attack
    The "Public Key DOS" attack aims at exhausting the system resources of the attacked web service by creating a very long or "unlimited" chain of encrypted keys. In other words: in order to retrieve the key for an cryptographic operation, the key has to be decrypted first using the previous key. This process is repeated until the "last" inner key is retrieved.

    If the attack is mounted successfully, the attacked system is effected in two ways:
    1. Buffering of all Keys: The result is a high memory consumption
    2. Decrypting keys with public key Algorithms: This leads to a high CPU usage since public key algorithms require time consuming algorithms.

    This attack is also known as the Public Key DOS attack

  2. Nested Encrypted Blocks
    The attack is mounted by creating a very long or "unlimited" chain of encrypted elements. In other words: content once encrypted is re-encrypted over and over again. That means the target system has to decrypt a large amount of data to get to the original data. This attack causes a high CPU usage since many resource intensive public key operations have to be performed over a long period of time.

Prerequisites for attack

In order for this attack to work the attack has to have knowledge about the following things:

  1. Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
  2. Attacker knows that the web web service processes the security header and the "encryption" element and/or "signature" element. If the web service doesn't "expect" an encrypted part, it just discards the encryption and the attack doesn't work.
  3. Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company this attack is limited.

Graphical representation of attack

AttackedComponent Encryption.png

  • Red box = attacked web service component
  • Black box = attacker location
  • blue box = other web service components not actively used in the attack

Attack example

Instead of giving an example SOAP request with a malicious payload, only a schematic representation of the attack is given. As shown in the graphic, in order get to the final unencrypted key or element all prior encryptions have to be resolved and processed.


If you have a working example available feel free to add it to the wiki.

Attack mitigation / countermeasures

The attack can be stopped from working by applying "Strict WS-Security Policy Enforcement". That means that only SOAP Messages are accepted that are explicitly required by the security policy. Usually a WS-Security Policy defines only the minimum requirements of a SOAP message in regard to security features. However, when using "Strict WS-Security Policy Enforcement" the security features of the Policy are to be considered not only as the minimum requirement but as the maximum requirement. Any SOAP Message that doesn't apply to the policy gets discarded and doesn't reach the XML parser.

"Strict WS-Security Policy Enforcement" has to be implemented by hand by the web service developer.

Attack categorisation

Categorisation by violated security objective

The attack aims at exhausting the system resources, therefore it violates the security objective Availability.

Categorisation by number of involved parties

Categorisation by attacked component in web service architecture

Categorisation by attack spreading


  1. Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009.
  2. Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.