Recursive Cryptography
Contents
Attack description
Web services offer a great amount of flexibility when it comes to using security features like cryptography and signature algorithms; i.e. different parts of a SOAP message can be signed or encrypted with different keys. This flexibility can be used to mount Recursive Cryptography attacks. These attacks aim at exhausting the system resources of the attacked web service. This attack is also known as Oversized Cryptography aka Cryptography DOS aka XML Complexity Attack in Soap Header.
Attack subtypes
Cryptography Denial Of Service (DOS) attacks can be split in two different but similar attacks:
- Chained Cryptographic Keys attack
The "Public Key DOS" attack aims at exhausting the system resources of the attacked web service by creating a very long or "unlimited" chain of encrypted keys. In other words: in order to retrieve the key for an cryptographic operation, the key has to be decrypted first using the previous key. This process is repeated until the "last" inner key is retrieved.
If the attack is mounted successfully, the attacked system is effected in two ways:
1. Buffering of all Keys: The result is a high memory consumption
2. Decrypting keys with public key Algorithms: This leads to a high CPU usage since public key algorithms require time consuming algorithms.
This attack is also known as the Public Key DOS attack
- Nested Encrypted Blocks
The attack is mounted by creating a very long or "unlimited" chain of encrypted elements. In other words: content once encrypted is re-encrypted over and over again. That means the target system has to decrypt a large amount of data to get to the original data. This attack causes a high CPU usage since many resource intensive public key operations have to be performed over a long period of time.
Prerequisites for attack
In order for this attack to work the attack has to have knowledge about the following things:
- Attacker knows endpoint of web service. otherwise he is not able to reach the web service.
- Attacker knows that the web web service processes the security header and the "encryption" element and/or "signature" element. If the web service doesn't "expect" an encrypted part, it just discards the encryption and the attack doesn't work.
- Attacker can reach endpoint from its location. Access to the attacked web service is required. If the web service is only available to users within a certain network of a company this attack is limited.
Graphical representation of attack
- Red box = attacked web service component
- Black box = attacker location
- blue box = other web service components not actively used in the attack
Attack example
Instead of giving an example SOAP request with a malicious payload, only a schematic representation of the attack is given. As shown in the graphic, in order get to the final unencrypted key or element all prior encryptions have to be resolved and processed.
If you have a working example available feel free to add it to the wiki.
Attack mitigation / countermeasures
The attack can be stopped from working by applying "Strict WS-Security Policy Enforcement". That means that only SOAP Messages are accepted that are explicitly required by the security policy. Usually a WS-Security Policy defines only the minimum requirements of a SOAP message in regard to security features. However, when using "Strict WS-Security Policy Enforcement" the security features of the Policy are to be considered not only as the minimum requirement but as the maximum requirement. Any SOAP Message that doesn't apply to the policy gets discarded and doesn't reach the XML parser.
"Strict WS-Security Policy Enforcement" has to be implemented by hand by the web service developer.
Attack categorisation
Categorisation by violated security objective
The attack aims at exhausting the system resources, therefore it violates the security objective Availability.
- Category:Attack_Categorisation_By_Violated_Security_Objective_Availability
- Category:Attack_Categorisation_By_Violated_Security_Objective
Categorisation by number of involved parties
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties:1_-_0_-_1
- Category:Attack_Categorisation_By_Number_Of_Involved_Parties
Categorisation by attacked component in web service architecture
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component:_Signature_Verification
- Category:Attack_Categorisation_By_Attacked_Web_Service_Component
Categorisation by attack spreading
- Category:Attack_Categorisation_By_Attack_Spreading
- Category:Attack_Categorisation_By_Attack_Spreading:Conceptual_Flaws
References
- Meiko Jensen, Nils Gruschka, and Ralph Herkenhöner. A survey of attacks on web services. Springer-Verlag, 2009.
- Leroy Metin Yaylacioglu. Business value einer web service firewall. Master’s thesis, Hochschule für Angewandte Wissenschaften Hamburg, 2008.
- Attack Categorisation By Violated Security Objective Availability
- Attack Categorisation By Violated Security Objective
- Attack Categorisation By Number Of Involved Parties:1 - 0 - 1
- Attack Categorisation By Number Of Involved Parties
- Attack Categorisation By Attacked Web Service Component: Signature Verification
- Attack Categorisation By Attacked Web Service Component
- Attack Categorisation By Attack Spreading
- Attack Categorisation By Attack Spreading:Conceptual Flaws
