On 2010-10-01 (274), at 12:29, Brad Hill wrote:

Kevin W. Wall wrote:
isn't the pre-shared key version of W3C's XML Encrypt also going to be vulnerable
to a padding oracle attack.

Any implementation that returns distinguishable error conditions for invalid padding is vulnerable, XML encryption no more or less so if used in such a manner. But XML encryption in particular seems much less likely to be used
in this manner than other encryption code.

Oh come on. This is really just a sophisticated variant of the old "never say which was wrong" - login ID or password - attack. In this case it's padding or MACing. If either fails the result should be the same: something went wrong, sorry for you. The POET Oracle depends upon the server taking a shortcut and
signaling which went wrong first.

Perfect games of Draughts always end in draws.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to