Let’s face it, there are always attacks and algorithms will always be broken, right now there is very little platform support for any of the GCM algorithms
as we are going through this with JOSE work in IETF and in the Web Crypto work in W3C.
From: ws-sx@lists.oasis-open.org [mailto:ws-sx@lists.oasis-open.org]
On Behalf Of Mark Little
Sent: Tuesday, October 16, 2012 12:33 AM
To: ws-sx@lists.oasis-open.org
Subject: [ws-sx] Fwd: [ws-sx-comment] Adding AlgorithmSuite using GCM to WS-SecurityPolicy
-------- Original Message --------
Subject: [ws-sx-comment] Adding AlgorithmSuite using GCM to
WS-SecurityPolicy
Date: Mon, 08 Oct 2012 18:18:40 +0200
From: Alessio Soldano <asoldano@redhat.com>
To: ws-sx-comment@lists.oasis-open.org
CC: Colm O hEigeartaigh <coheigea@apache.org>, Juraj Somorovsky
<juraj.somorovsky@rub.de>
Hi,
as you certainly know, on October 2011 an effective attack against XML
Encryption has been found by some researcher in Germany [1]. The attack
is described in the security advisory CVE-2011-1096 [2] and is basically
constructed on specific properties of the cipher-block chaining (CBC) mode.
The W3C recommendation [1] for preventing this vulnerability is to
choose an encryption mode like AES-GCM, which guarantees confidentiality
and integrity and is supported in the xmlenc core spec [3].
From a WS-SecurityPolicy point of view, though, using a GCM algorithm is
not that straightforward, as there's no Algorithm Suite already defined
for that [4] (only AES-CBC 128/192/256).
As a consequence, there's no standard / vendor neutral way of specifying
such policy requirements in wsdl contracts.
Hence the question, can the TC please evaluate adding new algorithm
suites covering the AES-GCM algorithms?
As an example of what would be needed, please have a look at [5] and
[6]: Apache CXF implementation has defined its own AlgorithmSuite
policies (in different namespace) "Basic1268GCM", "Basic192GCM" and
"Basic256GCM" that work the same as the standard Basic128/192/256 ones
except they GCM instead of CBC. That of course works, but is not standard.
I'm cc-ing Juraj Somorovsky, who is part of the researcher team that
found the vulnerability, and Colm O hEigeartaigh, who worked on the
Apache CXF / WSS4J / Santuario implementation.
Thanks
[1] http://www.w3.org/QA/2011/10/some_notes_on_the_recent_xml_e.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=681916
[3] http://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM
[4]
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/v1.3/os/ws-securitypolicy-1.3-spec-os.html#_Toc212617835
[5] http://cxf.apache.org/note-on-cve-2011-1096.html
[6] http://coheigea.blogspot.ie/2012/04/note-on-cve-2011-1096.html
--
Alessio Soldano
Web Service Lead, JBoss
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom.
Registered in UK and Wales under Company Registration No. 3798903 Directors: Michael Cunningham (USA), Charlie Peters (USA), Matt Parsons (USA) and Brendan Lane
(Ireland).
|