[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

Re: The sky is falling! XML's dirty secret! Go back! It's a


the sky is falling meaning
On Thursday 30 May 2002 9:28 pm, Seairth Jacobs wrote:
> Okay, maybe I am slow to see what's wrong here, but I don't see what's
> wrong here.  I have questions about the security solution presented, but
> isn't the problem itself legitimate?  If it isn't, would someone be kind
> enough to educate me why a self-describing data file is not an easier
> target for data theft?

If somebody's already managed to somehow foil a trusted server to divulge the 
encrypted information and work around the encryption, then yeah, figuring out 
the meaning of what they've obtained is easier with self-describing data.

However, that change in ease is quite negligible compared to the rest of the 
effort.

If you're transmitting sensitive information without proper precautions so 
that figuring out which bit of it's the credit card information is the main 
problem facing an invader, then there's something terribly terribly wrong.

Not that it's *bad* to put extra obstacles in an attacker's way - but there's 
many orders of magnitude of difference in the difficulty of extracting credit 
card numbers from strange message formats and breaking a cryptosystem.

One angle is that XML documents usually start with a <, and often a <?xml 
verison='1.0'?>, and that kind of information can be used to help break 
cryptosystems. Which is why, if somebody sensible was setting up that system, 
they would encrypt 16 bytes of random numbers followed by the gzipped XML, 
maybe with that 16 bytes of random numbers XORed into the first 16 bytes of 
the file in case the structure of the headers at the start of the gzip stream 
provides a lever into the cryptosystem (albeit at an offset into the stream 
after random data, and if it's a decent cryptosystem setup it'll be feeding 
cyphertext or plaintext back into the later stages anyway).

So to conclude, the underlying data format matters only if your security's 
already lame to start with...

ABS

-- 
                               Alaric B. Snell
 http://www.alaric-snell.com/  http://RFC.net/  http://www.warhead.org.uk/
   Any sufficiently advanced technology can be emulated in software  

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
 

Stylus Studio has published XML-DEV in RSS and ATOM formats, enabling users to easily subcribe to the list from their preferred news reader application.


Stylus Studio Sponsored Links are added links designed to provide related and additional information to the visitors of this website. they were not included by the author in the initial post. To view the content without the Sponsor Links please click here.

Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.