Saturday, October 29, 2011

About Xecrets and the XML Encryption Vulnerability

On October 19, researchers at the Ruhr-Universität Bochum announced a flaw in W3C XML Encryption.

The Axantum Password Manager Xecrets uses XML Encryption to store data on our servers.

This does not mean that Xecrets is vulnerable to attack.

The flaw only works in an attack against a server that knows the encryption key, and that can be queried about the result of attempted decryption of partially modified encrypted data. It is based on the fact that most implementations will happily decrypt the provided data using the secret key and then give different error messages if the decrypted data cannot be parsed as XML. These varying error messages can then be used to infer the original data, but not the actual encryption key.

Xecrets on the other hand never accepts encrypted XML in this way, nor does it know any users encryption except briefly during the users visit.

The XML Encryption flaw does not affect Xecrets.

3 comments:

  1. Thanks for your updates .I really appreciate your work to this site.I hope you can continue this kind of good work in future also..

    pki certificate

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete