Thursday, November 03, 2011 1:45 PM
A recent academic article in Journal of the ACM (and published also here) describes an efficient technique for breaking XML Encryption, based on some discovered issues with cipher block chaining (aka CBC). This looks like the real deal, and notably affects AES-CBC.
From what I can discern from this posting (http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/99231ca9-75b8-4254-a8a5-278c73901ec3/), the default algorithmSuite for all WCF bindings is Basic256, which uses the AES-CBC encryption algorithm.
Thus the default WCF security bindings appear to be compromised by this article. I'm concerned that any use of message-level security that uses the default bindings is vulnerable to decryption by a man-in-the-middle or other observers.What advice does Microsoft have on limiting the attack surface of WCF default bindings to eliminate this vulnerability?
I note that a W3C blog posting indicates that AES-GCM is perhaps a better choice for effecient and safe symmetric encryption. I believe AES-GCM is available on Windows Vista/7 and Windows Server 2008 / Windows Server 2008 R2 as part of Crypto Next Gen.
is there a way to configure a .NET 3.x or 4.0 WCF Binding to use AES-GCM or another equally effecient non-CBC encryption algorithm?
Regards, Howard Hoffman
Friday, November 04, 2011 1:47 AMModeratorHello, thanks for pointing out the latest researches. You can submit a suggestion on http://connect.microsoft.com/wcf. We will evaluate it and see how it will impact our products.
Lante, shanaolanxing This posting is provided "AS IS" with no warranties, and confers no rights.
Windows Azure Technical Forum Support Team Blog
Friday, November 04, 2011 5:48 PM
After further study, it appears that *all* the available WCF algorithmSuites use CBC. See http://msdn.microsoft.com/en-us/library/system.servicemodel.security.securityalgorithmsuite.aspx.
From reading the original article, it seems that encrypted+signed XML would not be vulnerable. So a further question:
Given that http://msdn.microsoft.com/en-us/library/system.net.security.protectionlevel.aspx has only None, Sign and EncryptAndSign what would WCF do when presented with the type of attack presented in the article -- an encrypted-only message? It strikes me that WCF must accept such a message since non .NET callers might be sending that, if it's within spec of WS-Security 1.3.
Regards, Howard Hoffman
Monday, November 28, 2011 7:51 PM
WCF does not have an encryption only mode, encrypted data must be signed.
- Edited by Brent Schmaltz - MSFT Monday, November 28, 2011 7:52 PM
Wednesday, November 30, 2011 5:47 PMHi Howard - Brent is correct. WCF accepts only signed encrypted messages. I have spoken about this issue with MSRC at length and have concluded that this is not a vulnerability for WCF.
Matt Small - Microsoft Escalation Engineer - Forum Moderator
- Marked As Answer by HowardH Wednesday, November 30, 2011 6:41 PM