Adaptive Chosen-Ciphertext Attacks

From WS-Attacks
Jump to navigation Jump to search

Attack description

XML Encryption typically uses a hybrid encryption scheme to protect data confidentiality. To this end, the data is first encrypted with a symmetric key (e.g., by using an AES-CBC algorithm). Afterwards, the symmetric key is encrypted with a public encryption scheme by applying the server's public key (e.g., by using RSA PKCS1). Servers using Cipher Block Chaining (CBC) mode of operation and RSA PKCS1 are under certain circumstances vulnerable to adaptive chosen-ciphertext attacks. These attacks allow an attacker to recover the encrypted data. In the following, we give a high-level description of these attacks and how they can be applied to XML Encryption applications.

In an adaptive chosen-ciphertext attack scenario, the attacker's goal is to decrypt a ciphertext C without any knowledge of the (symmetric or asymmetric) decryption key. To this end, he iteratively issues new ciphertexts C', C'', ... that are somehow related to the original ciphertext C. He sends the ciphertexts to a receiver, and observes its responses. The receiver acts as an oracle since its responses leak specific information about the validity of the decrypted message. With each response the attacker learns some plaintext information. He repeats these steps until he decrypts C. See the following figure for the description of this scenario.


Two major examples of these attacks are Vaudenay's attack on CBC-based symmetric encryption and Bleichenbacher's attack on RSA-PKCS1-based public-key encryption. Cryptographic details behind these attacks are not relevant to this description. It is just necessary to know that the attacks against these cryptographic algorithms are applicable if an oracle is given that decrypts a ciphertext and responds with 1 (valid) or 0 (invalid) according to the validity of the decrypted message. A typical reason for answering with 0 is that the decrypted message contains an invalid padding. Thus, the attacks are also known as padding oracle attacks.

Recently, two works on XML Encryption were published that are based on the attacks of Vaudenay and Bleichenbacher:

  1. Attack on CBC-based symmetric ciphertexts in XML Encryption
  2. Attack on RSA PKCS1-based asymmetric ciphertexts in XML Encryption

Attack subtypes

There are 2 attack subtypes.

Prerequisites for attack

The following prerequisites are needed to execute the attacks:

  1. Attacker can reach endpoint from its location.
  2. Attacker is in possession of an encrypted SOAP message.
  3. Attacker can modify the ciphertext inside the message and this modification is not rejected by the server. This means the ciphertext is not signed or the attacker can execute further attacks (e.g. XML Signature Wrapping) to modify the signed ciphertext.
  4. The server responds with 1 or 0 according to the validity of the decrypted message. The different messages can for example be a result of incorrect decryption processing or parsing of the decrypted message.

Graphical representation of attack

The attack targets the decryption component of a Web Service, in combination with the application logic (if the ciphertext is correctly decrypted, the attacker can get information based on the error messages coming from the application logic).

AttackedComponent None.png

  • Red = attacked web service component
  • Black = location of attacker
  • Blue = web service component not directly involved in attack.

Attack example

Attack mitigation / countermeasures

Attack categorisation

Categorisation by violated security objective

Categorisation by number of involved parties


Categorisation by attacked component in web service architecture

Categorisation by attack spreading