XML Encryption
Prabath Siriwardena
Director, Security Architecture
XML Security
• Integrity and non-repudiation
 XML Signature by W3C
 http://www.w3.org/TR/xmldsig-core/
• Confidentiality...
XML-Encryption
• A W3C standard which followed XML
Signatures, for encrypting all of an XML
document, part of it or an ext...
XML-Encryption
• Encrypts XML with a symmetric key
• Symmetric key encryption is much efficient
than asymmetric key encryp...
QUESTION 1

What are the differences between Symmetric
key encryption and Asymmetric key encryption ?
XML-Encryption (Example)
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<CreditCard Limit='5,0...
XML-Encryption (Example)
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<EncryptedData
Type='h...
XML-Encryption
<EncryptedData >
<EncryptionMethod/>
<KeyInfo />
<CipherData />
<EncryptionProperties/>
</EncryptedData>
<EncryptionMethod/>
• Specify the encryption algorithm to be used.
–
–
–
–

http://www.w3.org/2001/04/xmlenc#tripledes-cbc...
XML-Encryption (Example)
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#E...
QUESTION 2

Explain different types of cipher modes.
XML-Encryption
<EncryptedData >
<EncryptionMethod/>
<KeyInfo />
<CipherData />
<EncryptionProperties/>
</EncryptedData>
<CipherData/>

Either contains encrypted information inside
<CipherValue> or a reference to the resource
being encrypted i...
<CipherData/>
<EncryptedData >
<EncryptionMethod/>
<KeyInfo />
<CipherData>
<CipherValue />
<CipherReference URI=“” />
</C...
<CipherValue/>

Contains Base-64 encoded encrypted
information.
<CipherData/>
<EncryptedData >
<EncryptionMethod/>
<KeyInfo />
<CipherData>
<CipherValue />
<CipherReference URI=“” />
</C...
<CipherReference/>
• If the encrypted resource information is located
in a URI – addressable location this element is
bein...
<CipherReference/>
<CipherReference
URI="http://www.example.com/CipherValues.xml"
>
<Transforms>
<ds:Transform Algorithm=“...
XML-Encryption (Example)
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#E...
XML-Encryption (Example)
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#E...
QUESTION 3

How can we use XML Encryption to encrypt nonxml attachments ?
XML-Encryption
<EncryptedData >
<EncryptionMethod/>
<KeyInfo />
<CipherData />
<EncryptionProperties/>
</EncryptedData>
<EncryptionProperties/>
• Almost similar to <SignatureProperties/>
• Holds useful information about the encryption
<Encryp...
XML-Encryption
<EncryptedData >
<EncryptionMethod/>
<KeyInfo />
<CipherData />
<EncryptionProperties/>
</EncryptedData>
<KeyInfo/>
• KeyInfo in XML Signature is about providing
the public key to verify the signature.
• In XML Encryption KeyIn...
<KeyInfo/>
Locating the Encryption key
• Leave out the key – assuming the receiving
end is aware of the encryption key.
• ...
XML-Encryption (Example)
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#E...
<AgreementMethod />
• A strategy for safely communicating a secret
key.
• <AgreementMethod> refers to a key
agreement prot...
<AgreementMethod/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<AgreementMethod Algorithm="example:Agreemen...
<EncryptedKey/>
• <EncryptedKey> is simple another
<EncryptedData> element.
• Both extends <EncryptedType>
• Both do encry...
<EncryptedKey/>
We will have multiple <EncryptedData> elements
within the same XML document and they all will
be referred ...
< ReferenceList />
• <ReferenceList> is a child element of
<EncryptedKey>
• <ReferenceList> refers to the
<EncryptedData> ...
<CarriedKeyName />
• With <ReferenceList> multiple
<EncryptedData> elements are referred
by a single <EncryptedKey> key el...
XML-Encryption - Processing
• Choose an encryption algorithm
<EncryptionMethod/>
• Obtain an encryption key and may repres...
Decryption Process
•
•
•
•

Get algorithm, parameters and KeyInfo
Locate the encryption key
Decrypt data
Process XML Eleme...
lean . enterprise . middleware
Upcoming SlideShare
Loading in...5
×

XML Encryption

1,362

Published on

XML Encryption

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,362
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
53
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

XML Encryption

  1. 1. XML Encryption Prabath Siriwardena Director, Security Architecture
  2. 2. XML Security • Integrity and non-repudiation  XML Signature by W3C  http://www.w3.org/TR/xmldsig-core/ • Confidentiality of XML documents  XML Encryption by W3C  http://www.w3.org/TR/xmlenc-core/
  3. 3. XML-Encryption • A W3C standard which followed XML Signatures, for encrypting all of an XML document, part of it or an external object. • XML Signature points to what is being signed – while in XML Encryption, <EncryptedData> element contains what is being encrypted. • XML Encryption shares the <KeyInfo> element with XML Signature – which is defined under XML Signature namespace.
  4. 4. XML-Encryption • Encrypts XML with a symmetric key • Symmetric key encryption is much efficient than asymmetric key encryption
  5. 5. QUESTION 1 What are the differences between Symmetric key encryption and Asymmetric key encryption ?
  6. 6. XML-Encryption (Example) <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>
  7. 7. XML-Encryption (Example) <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </PaymentInfo>
  8. 8. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  9. 9. <EncryptionMethod/> • Specify the encryption algorithm to be used. – – – – http://www.w3.org/2001/04/xmlenc#tripledes-cbc http://www.w3.org/2001/04/xmlenc#aes128-cbc http://www.w3.org/2001/04/xmlenc#aes256-cbc http://www.w3.org/2001/04/xmlenc#aes192-cbc
  10. 10. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledescbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>DEADBEEF</CipherValue> </CipherData> </EncryptedData>
  11. 11. QUESTION 2 Explain different types of cipher modes.
  12. 12. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  13. 13. <CipherData/> Either contains encrypted information inside <CipherValue> or a reference to the resource being encrypted inside <CipherReference>.
  14. 14. <CipherData/> <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData> <CipherValue /> <CipherReference URI=“” /> </CipherData> <EncryptionProperties/> </EncryptedData>
  15. 15. <CipherValue/> Contains Base-64 encoded encrypted information.
  16. 16. <CipherData/> <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData> <CipherValue /> <CipherReference URI=“” /> </CipherData> <EncryptionProperties/> </EncryptedData>
  17. 17. <CipherReference/> • If the encrypted resource information is located in a URI – addressable location this element is being used. • URI attribute is used just like the way it‟s being used in <Reference URI> in XML Signature • This also includes <Transforms> element which contain a pipeline of <Transform> elements – as in the case of XML Signature. • <Transform> element defined under XML Signature namespace
  18. 18. <CipherReference/> <CipherReference URI="http://www.example.com/CipherValues.xml" > <Transforms> <ds:Transform Algorithm=“../xmldsig#base64"/> </Transforms> </CipherReference>
  19. 19. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledescbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>DEADBEEF</CipherValue> </CipherData> </EncryptedData>
  20. 20. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <CipherData> <CipherReference URI="http://…CipherValues.xml"> <Transforms> <ds:Transform Algorithm=”.."> <ds:XPath xmlns:rep=“..”></ds:XPath> </ds:Transform> <ds:Transform Algorithm=”..#base64"/> </Transforms> </CipherReference> </CipherData> </EncryptedData>
  21. 21. QUESTION 3 How can we use XML Encryption to encrypt nonxml attachments ?
  22. 22. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  23. 23. <EncryptionProperties/> • Almost similar to <SignatureProperties/> • Holds useful information about the encryption <EncryptData Id=“100”> <EncryptionProperties Id=“101”> <EncryptionProperty Target=“100”> <EncryptionDate>.....</EncryptionDate> </ EncryptionProperty> </EncryptionProperties> </EncryptData>
  24. 24. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  25. 25. <KeyInfo/> • KeyInfo in XML Signature is about providing the public key to verify the signature. • In XML Encryption KeyInfo is about providing an encryption key, that is almost always a shared key. • In XML Signature we can directly include the key in it. But in XML Encryption we should NOT. • XML Encryption extends the XML Signature KeyInfo with two new elements <EncryptedKey> and <AgreementMethod>
  26. 26. <KeyInfo/> Locating the Encryption key • Leave out the key – assuming the receiving end is aware of the encryption key. • Provide a name or pointer, where the receiving end locate the key. • Encrypt the key using the public key of the receiving end and include the encrypted „encryption‟ key inside KeyInfo.
  27. 27. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData><CipherValue>DEADBEEF</CipherValue></CipherData> </EncryptedData>
  28. 28. <AgreementMethod /> • A strategy for safely communicating a secret key. • <AgreementMethod> refers to a key agreement protocol that is used to generate the encryption key. • Not commonly used – an optional element
  29. 29. <AgreementMethod/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <AgreementMethod Algorithm="example:Agreement/Algorithm"> <KA-Nonce>Zm9v</KA-Nonce> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/> <OriginatorKeyInfo> <ds:KeyValue>....</ds:KeyValue> </OriginatorKeyInfo> <RecipientKeyInfo> <ds:KeyValue>....</ds:KeyValue> </RecipientKeyInfo> </AgreementMethod> </ds:KeyInfo>
  30. 30. <EncryptedKey/> • <EncryptedKey> is simple another <EncryptedData> element. • Both extends <EncryptedType> • Both do encryption - <EncryptedKey> encrypts the shared key used to encrypt the message. • Digital Enveloping / Key transport strategy
  31. 31. <EncryptedKey/> We will have multiple <EncryptedData> elements within the same XML document and they all will be referred by a standalone <EncryptedKey> element. <EncryptedKey> <ReferenceList> <DataReference URI=“100” /> <DataReference URI=“101” /> </ReferenceList> <EncryptedKey>
  32. 32. < ReferenceList /> • <ReferenceList> is a child element of <EncryptedKey> • <ReferenceList> refers to the <EncryptedData> elements which use the same key to encrypt
  33. 33. <CarriedKeyName /> • With <ReferenceList> multiple <EncryptedData> elements are referred by a single <EncryptedKey> key element. • The CarriedKeyName element is used to identify the encrypted key value which may be referenced by the KeyName element in ds:KeyInfo
  34. 34. XML-Encryption - Processing • Choose an encryption algorithm <EncryptionMethod/> • Obtain an encryption key and may represent it • Serialize message data to octets [ a stream of bytes] • Encrypt the data • Specify the <EncryptedData Type=“”> • Complete the <EncryptedData> structure
  35. 35. Decryption Process • • • • Get algorithm, parameters and KeyInfo Locate the encryption key Decrypt data Process XML Elements and XML Element Content • If no <EncryptionData Type=“”> specified then the result of encryption is passed back to the application.
  36. 36. lean . enterprise . middleware
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×