Kevin W. Wall wrote: > isn't the pre-shared key version of W3C's XML Encrypt also going to be > vulnerable > to a padding oracle attack.
Any implementation that returns distinguishable error conditions for invalid padding is vulnerable, XML encryption no more or less so if used in such a manner. But XML encryption in particular seems much less likely to be used in this manner than other encryption code. The primary use case you cite for PSK, an asynchronous message bus, is significantly less likely to return oracular information to an attacker than a synchronous service. And due to the rather unfavorable performance of XML encryption, in practice it is rarely used for synchronous messages. Confidentiality for web service calls is typically provided for at the transport layer rather than the message layer. SAML tokens used in redirect-based sign-on protocols are the only common use of XML encryption I'm aware of where the recipient might provide a padding oracle, but these messages are always signed as well. Brad Hill --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
