XML Encryption Broken - "How To" Published - Impact on WCF / What should we do?


  • A recent academic article in Journal of the ACM (and published also here)   describes an efficient technique for breaking XML Encryption, based on some discovered issues with cipher block chaining (aka CBC).  This looks like the real deal, and notably affects AES-CBC.

    From what I can discern from this posting (, the default algorithmSuite for all WCF bindings is Basic256, which uses the AES-CBC encryption algorithm.  

    Thus the default WCF security bindings appear to be compromised by this article.  I'm concerned that any use of message-level security that uses the default bindings is vulnerable to decryption by a man-in-the-middle or other observers.  

    What advice does Microsoft have on limiting the attack surface of WCF default bindings to eliminate this vulnerability?  

    I note that a W3C blog posting indicates that AES-GCM is perhaps a better choice for effecient and safe symmetric encryption.  I believe AES-GCM is available on Windows Vista/7 and Windows Server 2008 / Windows Server 2008 R2 as part of Crypto Next Gen.

    is there a way to configure a .NET 3.x or 4.0 WCF Binding to use AES-GCM or another equally effecient non-CBC encryption algorithm?


    Regards, Howard Hoffman
    Thursday, November 03, 2011 1:45 PM


  • Hi Howard - Brent is correct.  WCF accepts only signed encrypted messages.  I have spoken about this issue with MSRC at length and have concluded that this is not a vulnerability for WCF.
    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    • Marked as answer by HowardH Wednesday, November 30, 2011 6:41 PM
    Wednesday, November 30, 2011 5:47 PM

All replies