Re: xml over https

From: Mads Rasmussen (mads_at_opencs.com.br)
Date: 02/10/05

  • Next message: John R. Morris: "Re: books or material on mail protocols"
    Date: Thu, 10 Feb 2005 10:25:11 -0300
    To: vuln-dev@securityfocus.com
    
    

    Burke, Charles wrote:

    >This web services was not using WS Security was it?
    >I am assuming the xml encryption was custom or was it provided by WSE?
    >
    >
    No WS security, not even webservices ;-)
    Just simple encryption (a .dll doing 3des encryption) of specific XML
    fields in an XML file, transported between the client and the server via
    https
    No encryption mode, that is ECB basically.

    As I said, I did a small application calling their routine to decrypt
    the fields without specifying the key.

    Mads


  • Next message: John R. Morris: "Re: books or material on mail protocols"

    Relevant Pages

    • Google AD Sync Tool - Exposure of Sensitive Information Vulnerability - Security Advisory &#
      ... Due to a weakness in the way the Java encryption algorithm ... has been implemented in the GADS tool all stored credentials can be decrypted into plain-text. ... Using the following information from the XML and GADS tool to ... Nathaniel Carew from Sense of Security Labs. ...
      (Bugtraq)
    • OpenOffice encryption
      ... >OpenOffice uses cipher in OFB mode with salt. ... OpenOffice seems to have two encryption algorithms. ... The other encryption algorithms used in OpenOffice is XML encryption. ...
      (sci.crypt)
    • Re: [PHP] sharing info between websites with XML?
      ... what kind of data you're sharing) in an easy to parse format (CSV, XML, ... It's relatively easy to setup the clients to login ... PHP supports encryption if you install the necessary libraries ... and configure PHP accordingly (manual> Mcrypt Encryption Functions). ...
      (php.general)
    • Re: Multiple layers of encryption
      ... using multiple layers of encryption also result in a weaker solution? ... some of which may need to be XML messages. ... As has already been indicated, multiple layers is generally overkill, the reference you are looking for is "Cascade ciphers: The importance of being first" by Maurer and Massey, basically it says that if the keys are indendent, it is no weaker than the inner most cipher., if the keys are not independent all bets are off. ...
      (sci.crypt)
    • [Full-disclosure] Google AD Sync Tool - Exposure of Sensitive Information Vulnerability
      ... Due to a weakness in the way the Java encryption algorithm ... has been implemented in the GADS tool all stored credentials can be decrypted into plain-text. ... Using the following information from the XML and GADS tool to ... Nathaniel Carew from Sense of Security Labs. ...
      (Full-Disclosure)