Thai Duong wrote: > On Tue, Sep 28, 2010 at 12:49 PM, Peter Gutmann > <pgut...@cs.auckland.ac.nz> wrote: > >> Ye gods, how can you screw something that simple up that much? They use the >> appropriate, and secure, HMAC-SHA1 and AES, but manage to apply it backwards! > > I guess they just follow SSL. > > BTW, they screw up more badly in other places. Download .NET > Reflector, decompile .NET source, and do a grep 'DecryptString', > you'll see at least three places where they don't even use a MAC at > all.
So, I think I brought this up once before with Thai, but isn't the pre-shared key version of W3C's XML Encrypt also going to be vulnerable to a padding oracle attack. IIRC, W3C doesn't specify MAC at all, so unless you use XML Digital Signature after using XML Encrypt w/ a PSK, then it seems to me you are screwed in that case as well. And there are some cases where using a random session key that's encrypted with a recipient's public key is just not scalable (e.g., when sending out to over something like Java Message Service, or the Tibco Bus, or almost anything that uses multicast). And even if a new XML Encrypt spec for using with PSK was adopted tomorrow, the adoption would take quite a long time. Sure hope I'm wrong about that. Maybe one of you real cryptographers can set me straight on this. -kevin -- Kevin W. Wall "The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We cause accidents." -- Nathaniel Borenstein, co-creator of MIME --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
