Thai Duong wrote:
> On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann
> <> wrote:
>> Ye gods, how can you screw something that simple up that much?  They use the
>> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards!
> I guess they just follow SSL.
> BTW, they screw up more badly in other places. Download .NET
> Reflector, decompile .NET source, and do a grep 'DecryptString',
> you'll see at least three places where they don't even use a MAC at
> all.

So, I think I brought this up once before with Thai, but isn't the
pre-shared key version of W3C's XML Encrypt also going to be vulnerable
to a padding oracle attack. IIRC, W3C doesn't specify MAC at all, so unless
you use XML Digital Signature after using XML Encrypt w/ a PSK, then
it seems to me you are screwed in that case as well. And there are
some cases where using a random session key that's encrypted with a
recipient's public key is just not scalable (e.g., when sending out
to over something like Java Message Service, or the Tibco Bus, or
almost anything that uses multicast). And even if a new XML Encrypt
spec for using with PSK was adopted tomorrow, the adoption would take
quite a long time.  Sure hope I'm wrong about that. Maybe one of
you real cryptographers can set me straight on this.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to