[Interest] Interest Digest, Vol 96, Issue 19

Matthew Woehlke mwoehlke.floss at gmail.com
Wed Oct 2 22:43:12 CEST 2019 

On 01/10/2019 20.47, Roland Hughes wrote:
> If you are using XML, JSON or any of the other trendy text based
> open standards for data exchange, you've made it easy for the hackers.
> They don't have to put any human noodling into determining if they
> cracked your transmission or not. It can be fully automated. As soon as
> one of the attempts returns something like this
> 
> <firstName>John</firstName>
> 
> or this
> 
> "firstName" : "John"
> 
> a tiny bit of code which runs through the result looking for an opening
> tag with a matching closing tag or colon delimited quoted strings can
> tell a brute force method to stop and notify the hacker of success.

Isn't the fix for this just to encrypt your data twice (using different
keys, or maybe better, different algorithms)? Offhand, it seems like
this should exponentially increase the difficulty of decryption for each
layer added.

> To really secure transmitted data, you cannot use an open standard which
> has readily identifiable fields. Companies needing great security are
> moving to proprietary record layouts containing binary data. Not a
> "classic" record layout with contiguous fields, but a scattered layout
> placing single field bytes all over the place. For the "free text"
> portions like name and address not only in reverse byte order, but
> performing a translate under mask first. Object Oriented languages have
> a bit of trouble operating in this world but older 3GLs where one can
> have multiple record types/structures mapped to a single buffer (think a
> union of packed structures in C) can process this data rather quickly.

How is this not just "security through obscurity"? That's almost
universally regarded as equivalent to "no security at all". If you're
going to claim that this is suddenly not the case, you'd best have some
*really* impressive evidence to back it up.

Put differently, how is this different from just throwing another layer
of encry^Wenciphering on your data and calling it a day?

> If they targeted something which uses XML documents to communicate, they
> don't need to brute force attempt everything, just the first 120 or so
> bytes of each packet until they find the one which returns
> 
> <?xml version=
> 
> and they are done.

That seems like a flaw in the encryption algorithm. It seems like there
ought to be a way to make it so that you can't decrypt only part of a
message. Even an initial, reversible step such as XOR-permuting the
message with some well-known image of itself (e.g. "reversed") might
suffice?

-- 
Matthew

More information about the Interest mailing list