XML Encryption

XML Encryption
Prabath Siriwardena
Director, Security Architecture

XML Security
• Integrity and non-repudiation
 XML Signature by W3C
 http://www.w3.org/TR/xmldsig-core/
• Confidentiality of XML documents
 XML Encryption by W3C
 http://www.w3.org/TR/xmlenc-core/

XML-Encryption
• A W3C standard which followed XML
Signatures, for encrypting all of an XML
document, part of it or an external object.
• XML Signature points to what is being signed –
while in XML Encryption, <EncryptedData>
element contains what is being encrypted.
• XML Encryption shares the <KeyInfo> element
with XML Signature – which is defined under
XML Signature namespace.

XML-Encryption
• Encrypts XML with a symmetric key
• Symmetric key encryption is much efficient
than asymmetric key encryption

QUESTION 1

What are the differences between Symmetric
key encryption and Asymmetric key encryption ?

XML-Encryption (Example)
<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<CreditCard Limit='5,000' Currency='USD'>
<Number>4019 2445 0277 5567</Number>
<Issuer>Example Bank</Issuer>
<Expiration>04/02</Expiration>
</CreditCard>
</PaymentInfo>

<PaymentInfo xmlns='http://example.org/paymentv2'>
<Name>John Smith</Name>
<EncryptedData
Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'>
<CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>
</PaymentInfo>

XML-Encryption
<EncryptedData >
<EncryptionMethod/>
<KeyInfo />
<CipherData />
<EncryptionProperties/>
</EncryptedData>

<EncryptionMethod/>
• Specify the encryption algorithm to be used.
–
–
–
–

http://www.w3.org/2001/04/xmlenc#tripledes-cbc
http://www.w3.org/2001/04/xmlenc#aes128-cbc

<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#'
Type='http://www.w3.org/2001/04/xmlenc#Element'/>
<EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledescbc'/>
<ds:KeyInfo
xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:KeyName>John Smith</ds:KeyName>
</ds:KeyInfo>
<CipherData>
<CipherValue>DEADBEEF</CipherValue>
</CipherData>
</EncryptedData>

QUESTION 2

Explain different types of cipher modes.

<CipherData/>

Either contains encrypted information inside
<CipherValue> or a reference to the resource
being encrypted inside <CipherReference>.

<CipherValue/>

Contains Base-64 encoded encrypted
information.

<CipherReference/>
• If the encrypted resource information is located
in a URI – addressable location this element is
being used.
• URI attribute is used just like the way it‟s being
used in <Reference URI> in XML Signature
• This also includes <Transforms> element which
contain a pipeline of <Transform> elements – as
in the case of XML Signature.
• <Transform> element defined under XML
Signature namespace

QUESTION 3

How can we use XML Encryption to encrypt nonxml attachments ?

• Almost similar to <SignatureProperties/>
• Holds useful information about the encryption
<EncryptData Id=“100”>
<EncryptionProperties Id=“101”>
<EncryptionProperty Target=“100”>
<EncryptionDate>.....</EncryptionDate>
</ EncryptionProperty>
</EncryptionProperties>
</EncryptData>

<KeyInfo/>
• KeyInfo in XML Signature is about providing
the public key to verify the signature.
• In XML Encryption KeyInfo is about providing
an encryption key, that is almost always a
shared key.
• In XML Signature we can directly include the
key in it. But in XML Encryption we should
NOT.
• XML Encryption extends the XML Signature
KeyInfo with two new elements
<EncryptedKey> and <AgreementMethod>

<KeyInfo/>
Locating the Encryption key
• Leave out the key – assuming the receiving
end is aware of the encryption key.
• Provide a name or pointer, where the
receiving end locate the key.
• Encrypt the key using the public key of the
receiving end and include the encrypted
„encryption‟ key inside KeyInfo.

<EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/>
<ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
<ds:KeyName>John Smith</ds:KeyName>
</ds:KeyInfo>
<CipherData><CipherValue>DEADBEEF</CipherValue></CipherData>
</EncryptedData>

<AgreementMethod />
• A strategy for safely communicating a secret
key.
• <AgreementMethod> refers to a key
agreement protocol that is used to generate
the encryption key.
• Not commonly used – an optional element

<EncryptedKey/>
• <EncryptedKey> is simple another
<EncryptedData> element.
• Both extends <EncryptedType>
• Both do encryption - <EncryptedKey> encrypts
the shared key used to encrypt the message.
• Digital Enveloping / Key transport strategy

<EncryptedKey/>
We will have multiple <EncryptedData> elements
within the same XML document and they all will
be referred by a standalone <EncryptedKey>
element.
<EncryptedKey>
<ReferenceList>
<DataReference URI=“100” />
<DataReference URI=“101” />
</ReferenceList>
<EncryptedKey>

< ReferenceList />
• <ReferenceList> is a child element of
<EncryptedKey>
• <ReferenceList> refers to the
<EncryptedData> elements which use the
same key to encrypt

<CarriedKeyName />
• With <ReferenceList> multiple
<EncryptedData> elements are referred
by a single <EncryptedKey> key element.
• The CarriedKeyName element is used to
identify the encrypted key value which
may be referenced by the KeyName
element in ds:KeyInfo

XML-Encryption - Processing
• Choose an encryption algorithm
<EncryptionMethod/>
• Obtain an encryption key and may represent it
• Serialize message data to octets [ a stream of
bytes]
• Encrypt the data
• Specify the <EncryptedData Type=“”>
• Complete the <EncryptedData> structure

Decryption Process
•
•
•
•

Get algorithm, parameters and KeyInfo
Locate the encryption key
Decrypt data
Process XML Elements and XML Element
Content
• If no <EncryptionData Type=“”> specified
then the result of encryption is passed back to
the application.

lean . enterprise . middleware

XML Encryption

More Related Content

What's hot

Viewers also liked

Similar to XML Encryption

More from Prabath Siriwardena

Recently uploaded

XML Encryption