#####Yutong Pei @ypei
xml encryption padding attack in node.js
####Simple Usage
var xmlattack = require("PROJUCT_PATH/lib/xmlpadatck");
var oracle = {
host : '127.0.0.1'
, port : 8888
, encryption_path : '/encrypt'
, verification_path : '/verify'
};
xmlattack.recoverEncryted2PlainXML("path/to/encryptedXML", oracle, function(err, result){
console.log(result) //decrypted string as result
});
####Project Files
./
|-oracle.js: the encrypt(POST to encryption_path) and verify(POST to
verification_path) oracle
|
|-./config
| |-config.js: store all config
|
|-encrypt.js: encrypt plaintext xml
|
|-./test
| |-xmlpadding.attack.js: unit test on attack
| |-xmlpadding.oracle.js: unit test on oracle
|
|-./lib
|-xmlpadatck.js: the attack script
####Test
-
Install node.js
-
Generate test plain xml as test/testN-plaintext.xml
-
Start oracle
node oracle.js
-
Encrypt xml
node encrypt.js test/testN-plaintext.xml
-
Add test in test/xmlpadding.attack.js
it('should pass testN xml', function (done) { xmlPaddingAttackVerifier('/testN-encrypted.xml', '/testN-plaintext.xml', function(err, result, plain){ assert.equal(err, null); assert.equal(result, plain); }, done); });
-
run test
mocha --timeout 60000000
####Details
######Attack The attack follows described in How to Break XML Encryption
The general idea is verify oracle for XML encryption on ascii will return Error on invalid characters. Therefore, by split ascii characters in to TypeA(occurs error) and TypeB(not occurs error), adversary recover plain text from cipher text by alter each byte TypeB character to specific TypeA character, then target which TypeB character it is.
The attack is split into two major parts:
The FindIV takes cipher text C and returns an initialization vector iv such that the cipher text c = (iv, C[i]) is well-formed where i is block index
The FindXbyte takes byte index j and a well-formed c = (iv, C[i]) from FindIV and returns the j-th byte x[j] of the CBC decryption intermediate value x = Dec(k, C[i]). Finally m can be recovered by x easily since m[i] = x[i] XOR iv
For more information, please read the original paper
######beyond the paper In this project I did two things beyond the paper:
- Fix the problem that a full 0x10 padding block will always occurs TypeA error regardless how padding changes
- Able to handle self closed tags like: which are not described in original paper
######further Further improvement for this project:
- optimize the algorithm to accurate break spead