Embed Size (px)
Citation preview
XML Encryption
Prabath SiriwardenaDirector, Security Architecture
XML Security• Integrity and non-repudiation
XML Signature by W3C http://www.w3.org/TR/xmldsig-core/
• Confidentiality of XML documents XML Encryption by W3C http://www.w3.org/TR/xmlenc-core/
XML-Encryption
• A W3C standard which followed XML Signatures, for encrypting all of an XML document, part of it or an external object.
• XML Signature points to what is being signed – while in XML Encryption, <EncryptedData> element contains what is being encrypted.
• XML Encryption shares the <KeyInfo> element with XML Signature – which is defined under XML Signature namespace.
XML-Encryption
• Encrypts XML with a symmetric key• Symmetric key encryption is much efficient
than asymmetric key encryption
QUESTION 1
What are the differences between Symmetric key encryption and Asymmetric key encryption ?
XML-Encryption (Example)
<PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>
XML-Encryption (Example)
<PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </PaymentInfo>
XML-Encryption<EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/></EncryptedData>
<EncryptionMethod/>
• Specify the encryption algorithm to be used.– http://www.w3.org/2001/04/xmlenc#tripledes-cbc – http://www.w3.org/2001/04/xmlenc#aes128-cbc – http://www.w3.org/2001/04/xmlenc#aes256-cbc – http://www.w3.org/2001/04/xmlenc#aes192-cbc
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>DEADBEEF</CipherValue> </CipherData> </EncryptedData>
XML-Encryption (Example)
QUESTION 2
Explain different types of cipher modes.
XML-Encryption<EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/></EncryptedData>
<CipherData/>
Either contains encrypted information inside <CipherValue> or a reference to the resource being encrypted inside <CipherReference>.
<EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData> <CipherValue />
<CipherReference URI=“” /> </CipherData>
<EncryptionProperties/></EncryptedData>
<CipherData/>
<CipherValue/>
Contains Base-64 encoded encrypted information.
<EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData> <CipherValue />
<CipherReference URI=“” /> </CipherData>
<EncryptionProperties/></EncryptedData>
<CipherData/>
<CipherReference/>• If the encrypted resource information is located in
a URI – addressable location this element is being used.
• URI attribute is used just like the way it’s being used in <Reference URI> in XML Signature
• This also includes <Transforms> element which contain a pipeline of <Transform> elements – as in the case of XML Signature.
• <Transform> element defined under XML Signature namespace
<CipherReference/>
<CipherReference URI="http://www.example.com/CipherValues.xml">
<Transforms> <ds:Transform Algorithm=“../xmldsig#base64"/> </Transforms> </CipherReference>
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>DEADBEEF</CipherValue> </CipherData> </EncryptedData>
XML-Encryption (Example)
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <CipherData>
<CipherReference URI="http://…CipherValues.xml"> <Transforms> <ds:Transform Algorithm=”.."> <ds:XPath xmlns:rep=“..”></ds:XPath> </ds:Transform> <ds:Transform Algorithm=”..#base64"/> </Transforms> </CipherReference> </CipherData> </EncryptedData>
XML-Encryption (Example)
QUESTION 3
How can we use XML Encryption to encrypt non-xml attachments ?
XML-Encryption<EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/></EncryptedData>
<EncryptionProperties/>
• Almost similar to <SignatureProperties/>• Holds useful information about the
encryption
<EncryptData Id=“100”><EncryptionProperties Id=“101”>
<EncryptionProperty Target=“100”> <EncryptionDate>.....</EncryptionDate> </ EncryptionProperty>
</EncryptionProperties></EncryptData>
XML-Encryption<EncryptedData > <EncryptionMethod/> <KeyInfo /> <CipherData /> <EncryptionProperties/></EncryptedData>
<KeyInfo/>• KeyInfo in XML Signature is about providing the
public key to verify the signature.• In XML Encryption KeyInfo is about providing an
encryption key, that is almost always a shared key.• In XML Signature we can directly include the key
in it. But in XML Encryption we should NOT.• XML Encryption extends the XML Signature
KeyInfo with two new elements <EncryptedKey> and <AgreementMethod>
<KeyInfo/>
Locating the Encryption key• Leave out the key – assuming the receiving end
is aware of the encryption key.• Provide a name or pointer, where the receiving
end locate the key.• Encrypt the key using the public key of the
receiving end and include the encrypted ‘encryption’ key inside KeyInfo.
XML-Encryption (Example)
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>John Smith</ds:KeyName> </ds:KeyInfo> <CipherData><CipherValue>DEADBEEF</CipherValue></CipherData> </EncryptedData>
<AgreementMethod />
• A strategy for safely communicating a secret key.
• <AgreementMethod> refers to a key agreement protocol that is used to generate the encryption key.
• Not commonly used – an optional element
<AgreementMethod/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <AgreementMethod Algorithm="example:Agreement/Algorithm"> <KA-Nonce>Zm9v</KA-Nonce> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"/> <OriginatorKeyInfo> <ds:KeyValue>....</ds:KeyValue> </OriginatorKeyInfo> <RecipientKeyInfo> <ds:KeyValue>....</ds:KeyValue> </RecipientKeyInfo> </AgreementMethod> </ds:KeyInfo>
<EncryptedKey/>
• <EncryptedKey> is simple another <EncryptedData> element.
• Both extends <EncryptedType>• Both do encryption - <EncryptedKey> encrypts
the shared key used to encrypt the message.• Digital Enveloping / Key transport strategy
<EncryptedKey/>We will have multiple <EncryptedData> elements within the same XML document and they all will be referred by a standalone <EncryptedKey> element.
<EncryptedKey> <ReferenceList> <DataReference URI=“100” /> <DataReference URI=“101” /> </ReferenceList> <EncryptedKey>
< ReferenceList />• <ReferenceList> is a child element of
<EncryptedKey>• <ReferenceList> refers to the
<EncryptedData> elements which use the same key to encrypt
<CarriedKeyName />
• With <ReferenceList> multiple <EncryptedData> elements are referred by a single <EncryptedKey> key element.
• The CarriedKeyName element is used to identify the encrypted key value which may be referenced by the KeyName element in ds:KeyInfo
XML-Encryption - Processing
• Choose an encryption algorithm <EncryptionMethod/>
• Obtain an encryption key and may represent it• Serialize message data to octets [ a stream of
bytes]• Encrypt the data• Specify the <EncryptedData Type=“”>• Complete the <EncryptedData> structure
Decryption Process
• Get algorithm, parameters and KeyInfo• Locate the encryption key• Decrypt data• Process XML Elements and XML Element
Content• If no <EncryptionData Type=“”> specified
then the result of encryption is passed back to the application.
lean . enterprise . middleware
