Tuesday, July 14, 2009

HMAC truncation vulnerability in XML signature

This blog post nicely explains the HMAC truncation security vulnerability in XML digital signature specification. In short the specification allows to truncate the signature to any length. If this length is too small, an adversary can guess the correct truncated HMAC with a high probability and hence the security vulnerability. Specifically, this leads to authentication bypass or forging.

I am not sure if there exists any security proof about truncation (reduces to birthday attack?). Generally speaking, smaller signature provides a higher entropy and hence less information to the attacker. But at the same time, attacker has to guess only a fewer bits. In any case, the truncation should not be less than 80 bits, since below this length is considered to be vulnerable to brute force attacks with the current computational capabilities of adversaries. What if the truncated length is less than half of the length of original MAC output? Then it is succeptible to birthday attacks.

Are you as an application developer vulnerable to this attack?
If you are using an XML digital signature library that allows to set any arbitrary truncation length, you'll need to enforce a minimum safe length depending on the algorithm you are using. The good news is most of the libraries including XML security library have already provided pathes for this. If you are a library developer, you probably want to release a patch to users.

1 comment:

e signature said...

Well written. Smaller the signature and higher the entropy so less information to the attacker. No doubt in this case, attackers has to guess less bits but still there is less chances of attacking..:-)