XML Encryption


Published on

XML Encryption

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

XML Encryption

  1. 1. XML Encryption Prabath Siriwardena Director, Security Architecture
  2. 2. XML Security • Integrity and non-repudiation  XML Signature by W3C  http://www.w3.org/TR/xmldsig-core/ • Confidentiality of XML documents  XML Encryption by W3C  http://www.w3.org/TR/xmlenc-core/
  3. 3. XML-Encryption • A W3C standard which followed XML Signatures, for encrypting all of an XML document, part of it or an external object. • XML Signature points to what is being signed – while in XML Encryption, <EncryptedData> element contains what is being encrypted. • XML Encryption shares the <KeyInfo> element with XML Signature – which is defined under XML Signature namespace.
  4. 4. XML-Encryption • Encrypts XML with a symmetric key • Symmetric key encryption is much efficient than asymmetric key encryption
  5. 5. QUESTION 1 What are the differences between Symmetric key encryption and Asymmetric key encryption ?
  6. 6. XML-Encryption (Example) <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>
  7. 7. XML-Encryption (Example) <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </PaymentInfo>
  8. 8. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  9. 9. <EncryptionMethod/> • Specify the encryption algorithm to be used. – – – – http://www.w3.org/2001/04/xmlenc#tripledes-cbc http://www.w3.org/2001/04/xmlenc#aes128-cbc http://www.w3.org/2001/04/xmlenc#aes256-cbc http://www.w3.org/2001/04/xmlenc#aes192-cbc
  10. 10. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledescbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>DEADBEEF</CipherValue> </CipherData> </EncryptedData>
  11. 11. QUESTION 2 Explain different types of cipher modes.
  12. 12. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  13. 13. <CipherData/> Either contains encrypted information inside <CipherValue> or a reference to the resource being encrypted inside <CipherReference>.
  14. 14. <CipherData/> <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData> <CipherValue /> <CipherReference URI=“” /> </CipherData> <EncryptionProperties/> </EncryptedData>
  15. 15. <CipherValue/> Contains Base-64 encoded encrypted information.
  16. 16. <CipherData/> <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData> <CipherValue /> <CipherReference URI=“” /> </CipherData> <EncryptionProperties/> </EncryptedData>
  17. 17. <CipherReference/> • If the encrypted resource information is located in a URI – addressable location this element is being used. • URI attribute is used just like the way it‟s being used in <Reference URI> in XML Signature • This also includes <Transforms> element which contain a pipeline of <Transform> elements – as in the case of XML Signature. • <Transform> element defined under XML Signature namespace
  18. 18. <CipherReference/> <CipherReference URI="http://www.example.com/CipherValues.xml" > <Transforms> <ds:Transform Algorithm=“../xmldsig#base64"/> </Transforms> </CipherReference>
  19. 19. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledescbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>DEADBEEF</CipherValue> </CipherData> </EncryptedData>
  20. 20. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <CipherData> <CipherReference URI="http://…CipherValues.xml"> <Transforms> <ds:Transform Algorithm=”.."> <ds:XPath xmlns:rep=“..”></ds:XPath> </ds:Transform> <ds:Transform Algorithm=”..#base64"/> </Transforms> </CipherReference> </CipherData> </EncryptedData>
  21. 21. QUESTION 3 How can we use XML Encryption to encrypt nonxml attachments ?
  22. 22. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  23. 23. <EncryptionProperties/> • Almost similar to <SignatureProperties/> • Holds useful information about the encryption <EncryptData Id=“100”> <EncryptionProperties Id=“101”> <EncryptionProperty Target=“100”> <EncryptionDate>.....</EncryptionDate> </ EncryptionProperty> </EncryptionProperties> </EncryptData>
  24. 24. XML-Encryption <EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/> </EncryptedData>
  25. 25. <KeyInfo/> • KeyInfo in XML Signature is about providing the public key to verify the signature. • In XML Encryption KeyInfo is about providing an encryption key, that is almost always a shared key. • In XML Signature we can directly include the key in it. But in XML Encryption we should NOT. • XML Encryption extends the XML Signature KeyInfo with two new elements <EncryptedKey> and <AgreementMethod>
  26. 26. <KeyInfo/> Locating the Encryption key • Leave out the key – assuming the receiving end is aware of the encryption key. • Provide a name or pointer, where the receiving end locate the key. • Encrypt the key using the public key of the receiving end and include the encrypted „encryption‟ key inside KeyInfo.
  27. 27. XML-Encryption (Example) <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData><CipherValue>DEADBEEF</CipherValue></CipherData> </EncryptedData>
  28. 28. <AgreementMethod /> • A strategy for safely communicating a secret key. • <AgreementMethod> refers to a key agreement protocol that is used to generate the encryption key. • Not commonly used – an optional element
  29. 29. <AgreementMethod/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <AgreementMethod Algorithm="example:Agreement/Algorithm"> <KA-Nonce>Zm9v</KA-Nonce> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/> <OriginatorKeyInfo> <ds:KeyValue>....</ds:KeyValue> </OriginatorKeyInfo> <RecipientKeyInfo> <ds:KeyValue>....</ds:KeyValue> </RecipientKeyInfo> </AgreementMethod> </ds:KeyInfo>
  30. 30. <EncryptedKey/> • <EncryptedKey> is simple another <EncryptedData> element. • Both extends <EncryptedType> • Both do encryption - <EncryptedKey> encrypts the shared key used to encrypt the message. • Digital Enveloping / Key transport strategy
  31. 31. <EncryptedKey/> We will have multiple <EncryptedData> elements within the same XML document and they all will be referred by a standalone <EncryptedKey> element. <EncryptedKey> <ReferenceList> <DataReference URI=“100” /> <DataReference URI=“101” /> </ReferenceList> <EncryptedKey>
  32. 32. < ReferenceList /> • <ReferenceList> is a child element of <EncryptedKey> • <ReferenceList> refers to the <EncryptedData> elements which use the same key to encrypt
  33. 33. <CarriedKeyName /> • With <ReferenceList> multiple <EncryptedData> elements are referred by a single <EncryptedKey> key element. • The CarriedKeyName element is used to identify the encrypted key value which may be referenced by the KeyName element in ds:KeyInfo
  34. 34. XML-Encryption - Processing • Choose an encryption algorithm <EncryptionMethod/> • Obtain an encryption key and may represent it • Serialize message data to octets [ a stream of bytes] • Encrypt the data • Specify the <EncryptedData Type=“”> • Complete the <EncryptedData> structure
  35. 35. Decryption Process • • • • Get algorithm, parameters and KeyInfo Locate the encryption key Decrypt data Process XML Elements and XML Element Content • If no <EncryptionData Type=“”> specified then the result of encryption is passed back to the application.
  36. 36. lean . enterprise . middleware