2. XML Security
• Integrity and non-repudiation
XML Signature by W3C
http://www.w3.org/TR/xmldsig-core/
• Confidentiality of XML documents
XML Encryption by W3C
http://www.w3.org/TR/xmlenc-core/
3. XML-Encryption
• A W3C standard which followed XML
Signatures, for encrypting all of an XML
document, part of it or an external object.
• XML Signature points to what is being signed –
while in XML Encryption, <EncryptedData>
element contains what is being encrypted.
• XML Encryption shares the <KeyInfo> element
with XML Signature – which is defined under
XML Signature namespace.
4. XML-Encryption
• Encrypts XML with a symmetric key
• Symmetric key encryption is much efficient
than asymmetric key encryption
5. QUESTION 1
What are the differences between Symmetric
key encryption and Asymmetric key encryption ?
17. <CipherReference/>
• If the encrypted resource information is located
in a URI – addressable location this element is
being used.
• URI attribute is used just like the way it‟s being
used in <Reference URI> in XML Signature
• This also includes <Transforms> element which
contain a pipeline of <Transform> elements – as
in the case of XML Signature.
• <Transform> element defined under XML
Signature namespace
23. <EncryptionProperties/>
• Almost similar to <SignatureProperties/>
• Holds useful information about the encryption
<EncryptData Id=“100”>
<EncryptionProperties Id=“101”>
<EncryptionProperty Target=“100”>
<EncryptionDate>.....</EncryptionDate>
</ EncryptionProperty>
</EncryptionProperties>
</EncryptData>
25. <KeyInfo/>
• KeyInfo in XML Signature is about providing
the public key to verify the signature.
• In XML Encryption KeyInfo is about providing
an encryption key, that is almost always a
shared key.
• In XML Signature we can directly include the
key in it. But in XML Encryption we should
NOT.
• XML Encryption extends the XML Signature
KeyInfo with two new elements
<EncryptedKey> and <AgreementMethod>
26. <KeyInfo/>
Locating the Encryption key
• Leave out the key – assuming the receiving
end is aware of the encryption key.
• Provide a name or pointer, where the
receiving end locate the key.
• Encrypt the key using the public key of the
receiving end and include the encrypted
„encryption‟ key inside KeyInfo.
28. <AgreementMethod />
• A strategy for safely communicating a secret
key.
• <AgreementMethod> refers to a key
agreement protocol that is used to generate
the encryption key.
• Not commonly used – an optional element
30. <EncryptedKey/>
• <EncryptedKey> is simple another
<EncryptedData> element.
• Both extends <EncryptedType>
• Both do encryption - <EncryptedKey> encrypts
the shared key used to encrypt the message.
• Digital Enveloping / Key transport strategy
31. <EncryptedKey/>
We will have multiple <EncryptedData> elements
within the same XML document and they all will
be referred by a standalone <EncryptedKey>
element.
<EncryptedKey>
<ReferenceList>
<DataReference URI=“100” />
<DataReference URI=“101” />
</ReferenceList>
<EncryptedKey>
32. < ReferenceList />
• <ReferenceList> is a child element of
<EncryptedKey>
• <ReferenceList> refers to the
<EncryptedData> elements which use the
same key to encrypt
33. <CarriedKeyName />
• With <ReferenceList> multiple
<EncryptedData> elements are referred
by a single <EncryptedKey> key element.
• The CarriedKeyName element is used to
identify the encrypted key value which
may be referenced by the KeyName
element in ds:KeyInfo
34. XML-Encryption - Processing
• Choose an encryption algorithm
<EncryptionMethod/>
• Obtain an encryption key and may represent it
• Serialize message data to octets [ a stream of
bytes]
• Encrypt the data
• Specify the <EncryptedData Type=“”>
• Complete the <EncryptedData> structure
35. Decryption Process
•
•
•
•
Get algorithm, parameters and KeyInfo
Locate the encryption key
Decrypt data
Process XML Elements and XML Element
Content
• If no <EncryptionData Type=“”> specified
then the result of encryption is passed back to
the application.