One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography

Tibor Jager, Kenneth G. Paterson, Juraj Somorovsky

In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2013


Backwards compatibility attacks are based on the common practical scenario that a cryptographic standard offers a choice between several algorithms to perform the same cryptographic task. This often includes secure state-of-the-art cryptosystems, as well as insecure legacy cryptosystems with known vulnerabilities that are made available for backwards compatibility reasons.

Obviously using insecure legacy cryptosystems is dangerous. However, we show the less obvious fact that even if users have the best of intentions to use only the most up-to-date, vulnerability-free version of a system, the mere existence of support for old versions can have a catastrophic effect on security.

We demonstrate the practical relevance of our results by describing attacks on current versions of important cryptographic Web standards: W3C XML Encryption and XML Signature, and JSON Web Encryption and Web Signature. We furthermore propose practical and effective countermeasures thwarting backwards compatibility attacks, which could be applied in new versions of these standards as well as in related specifications applying cryptographic primitives.

The distributed document has been provided by the contributing authors as a means to ensure timely dissemination of scholarly and technical work on a noncommercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

Some ideas of this paper were used as a basis for our Dobbertin Cryptochallenge:

You can run this challenge also on your machine and practice offline. The sources are included below.

[CryptoChallenge] [paper]

Tags: backwards compatibility, JSON Web Encryption, Padding Oracle Attacks, Web Services, XML Encryption