XML Encryption, a cryptographic algorithm used in the W3C’s XML standard, has been shown to be insecure by researchers at the Ruhr University Bochum in Germany.
XML is widely used as a method of transmitting data between distinct systems or services in large projects, more often than not in the corporate world. The encryption standard is used to partially encrypt components of the XML data payloads so as to prevent unauthorised access. For example, an online shopper’s credit card details may be encrypted as a shopping basket is passed from an online store frontend to its payment service.
“We were able to decrypt data by sending modified ciphertexts to the server, by gathering information from the received error messages” said the developers of the attack, who announced their discovery on the W3C mailing list for the standard, following responsible disclosure best practices. Some affected companies have been said to be extremely interested in finding a workaround as soon as possible, as all those that responded to the disclosure reported that their implementation of the standard was vulnerable; the researchers independently verified that a popular open-source implementation was also vulnerable.
Fixing the mess will not be easy, though. The whole Encryption component of the XML standard will need to be re-written, and then the respective libraries updated and distributed – a process that could take years.