Thai Duong wrote:
> On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann
> <pgut...@cs.auckland.ac.nz> wrote:
> 
>> Ye gods, how can you screw something that simple up that much?  They use the
>> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards!
> 
> I guess they just follow SSL.
> 
> BTW, they screw up more badly in other places. Download .NET
> Reflector, decompile .NET source, and do a grep 'DecryptString',
> you'll see at least three places where they don't even use a MAC at
> all.

So, I think I brought this up once before with Thai, but isn't the
pre-shared key version of W3C's XML Encrypt also going to be vulnerable
to a padding oracle attack. IIRC, W3C doesn't specify MAC at all, so unless
you use XML Digital Signature after using XML Encrypt w/ a PSK, then
it seems to me you are screwed in that case as well. And there are
some cases where using a random session key that's encrypted with a
recipient's public key is just not scalable (e.g., when sending out
to over something like Java Message Service, or the Tibco Bus, or
almost anything that uses multicast). And even if a new XML Encrypt
spec for using with PSK was adopted tomorrow, the adoption would take
quite a long time.  Sure hope I'm wrong about that. Maybe one of
you real cryptographers can set me straight on this.

-kevin
--
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to