Adding AlgorithmSuite using GCM to WS-SecurityPolicy

[Alessio Soldano <asoldano@redhat.com>]

Hi,
as you certainly know, on October 2011 an effective attack against XML
Encryption has been found by some researcher in Germany [1]. The attack
is described in the security advisory CVE-2011-1096 [2] and is basically
constructed on specific properties of the cipher-block chaining (CBC) mode.
The W3C recommendation [1] for preventing this vulnerability is to
choose an encryption mode like AES-GCM, which guarantees confidentiality
and integrity and is supported in the xmlenc core spec [3].

From a WS-SecurityPolicy point of view, though, using a GCM algorithm is
not that straightforward, as there's no Algorithm Suite already defined
for that [4] (only AES-CBC 128/192/256).
As a consequence, there's no standard / vendor neutral way of specifying
such policy requirements in wsdl contracts.

Hence the question, can the TC please evaluate adding new algorithm
suites covering the AES-GCM algorithms?

As an example of what would be needed, please have a look at [5] and
[6]: Apache CXF implementation has defined its own AlgorithmSuite
policies (in different namespace) "Basic1268GCM", "Basic192GCM" and
"Basic256GCM" that work the same as the standard Basic128/192/256 ones
except they GCM instead of CBC. That of course works, but is not standard.

I'm cc-ing Juraj Somorovsky, who is part of the researcher team that
found the vulnerability, and Colm O hEigeartaigh, who worked on the
Apache CXF / WSS4J / Santuario implementation.

Thanks

[1] http://www.w3.org/QA/2011/10/some_notes_on_the_recent_xml_e.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=681916
[3] http://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM
[4]
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html#_Toc212617835
[5] http://cxf.apache.org/note-on-cve-2011-1096.html
[6] http://coheigea.blogspot.ie/2012/04/note-on-cve-2011-1096.html

-- 
Alessio Soldano
Web Service Lead, JBoss