[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: The sky is falling! XML's dirty secret! Go back! It's a
On Thursday 30 May 2002 9:28 pm, Seairth Jacobs wrote: > Okay, maybe I am slow to see what's wrong here, but I don't see what's > wrong here. I have questions about the security solution presented, but > isn't the problem itself legitimate? If it isn't, would someone be kind > enough to educate me why a self-describing data file is not an easier > target for data theft? If somebody's already managed to somehow foil a trusted server to divulge the encrypted information and work around the encryption, then yeah, figuring out the meaning of what they've obtained is easier with self-describing data. However, that change in ease is quite negligible compared to the rest of the effort. If you're transmitting sensitive information without proper precautions so that figuring out which bit of it's the credit card information is the main problem facing an invader, then there's something terribly terribly wrong. Not that it's *bad* to put extra obstacles in an attacker's way - but there's many orders of magnitude of difference in the difficulty of extracting credit card numbers from strange message formats and breaking a cryptosystem. One angle is that XML documents usually start with a <, and often a <?xml verison='1.0'?>, and that kind of information can be used to help break cryptosystems. Which is why, if somebody sensible was setting up that system, they would encrypt 16 bytes of random numbers followed by the gzipped XML, maybe with that 16 bytes of random numbers XORed into the first 16 bytes of the file in case the structure of the headers at the start of the gzip stream provides a lever into the cryptosystem (albeit at an offset into the stream after random data, and if it's a decent cryptosystem setup it'll be feeding cyphertext or plaintext back into the later stages anyway). So to conclude, the underlying data format matters only if your security's already lame to start with... ABS -- Alaric B. Snell http://www.alaric-snell.com/ http://RFC.net/ http://www.warhead.org.uk/ Any sufficiently advanced technology can be emulated in software
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|