[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Adding AlgorithmSuite using GCM to WS-SecurityPolicy
Hi, as you certainly know, on October 2011 an effective attack against XML Encryption has been found by some researcher in Germany [1]. The attack is described in the security advisory CVE-2011-1096 [2] and is basically constructed on specific properties of the cipher-block chaining (CBC) mode. The W3C recommendation [1] for preventing this vulnerability is to choose an encryption mode like AES-GCM, which guarantees confidentiality and integrity and is supported in the xmlenc core spec [3]. From a WS-SecurityPolicy point of view, though, using a GCM algorithm is not that straightforward, as there's no Algorithm Suite already defined for that [4] (only AES-CBC 128/192/256). As a consequence, there's no standard / vendor neutral way of specifying such policy requirements in wsdl contracts. Hence the question, can the TC please evaluate adding new algorithm suites covering the AES-GCM algorithms? As an example of what would be needed, please have a look at [5] and [6]: Apache CXF implementation has defined its own AlgorithmSuite policies (in different namespace) "Basic1268GCM", "Basic192GCM" and "Basic256GCM" that work the same as the standard Basic128/192/256 ones except they GCM instead of CBC. That of course works, but is not standard. I'm cc-ing Juraj Somorovsky, who is part of the researcher team that found the vulnerability, and Colm O hEigeartaigh, who worked on the Apache CXF / WSS4J / Santuario implementation. Thanks [1] http://www.w3.org/QA/2011/10/some_notes_on_the_recent_xml_e.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=681916 [3] http://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM [4] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html#_Toc212617835 [5] http://cxf.apache.org/note-on-cve-2011-1096.html [6] http://coheigea.blogspot.ie/2012/04/note-on-cve-2011-1096.html -- Alessio Soldano Web Service Lead, JBoss
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]