Kevin W. Wall wrote:
> isn't the pre-shared key version of W3C's XML Encrypt also going to be 
> vulnerable 
> to a padding oracle attack.

Any implementation that returns distinguishable error conditions for invalid 
padding is vulnerable, XML encryption no more or less so if used in such a 
manner.  But XML encryption in particular seems much less likely to be used 
in this manner than other encryption code.

The primary use case you cite for PSK, an asynchronous message bus, is 
significantly less likely to return oracular information to an attacker than a
synchronous service.  And due to the rather unfavorable performance of
XML encryption, in practice it is rarely used for synchronous messages.  
Confidentiality for web service calls is typically provided for at the transport
layer rather than the message layer.  SAML tokens used in redirect-based
sign-on protocols are the only common use of XML encryption I'm aware 
of where the recipient might provide a padding oracle, but these messages
are always signed as well.

Brad Hill

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to