XML-Encryption Facts

This document provides facts related to XML-Encryption for usage in the written part of my diploma thesis.

Content

General

  • specification from the W3C [On02]
  • provides not only a way of encrypting portions of XML documents, but also a means of encrypting any data and rendering the encrypted data in XML format [On02]
  • does not introduce any new cryptography algorithms or techniques [On02]
  • provides a way to format the meta-information about which algorithm was used, and when the encryption occurred [On02]
  • prior to XML Encryption the only standardization of encryption data was for e-mail messages (that is, S/MIME). If an organization wished to send encrypted data to another organization, both organizations would have to agree on the format of the encrypted data, how and which algorithms to use, and possibly also how to send an encrypted key. [On02]
  • XML syntax for representing encrypted data and to establish procedures for encrypting and decrypting such data [Sh03]
  • can encrypt only the data that needs to be encrypted [Sh03]
  • XML Encryption relies entirely on the XML Digital Signature specification for key exchange [Si02a]

What is XML-Encryption?

Article foundFact
Web Service Security [On02] XML Encryption is not a replacement for SSL. SSL is still the de facto choice for confidentiality between two entities that are communicating using HTTP. However, if the security context extends beyond this individual HTTP connection, XML Encryption is ideal for confidentiality. The capability to encrypt XML is nothing new, because XML is just text after all. However, the ability to selectively encrypt XML data is what makes XML Encryption so useful for Web Services. Encrypting an entire SOAP message is counterproductive, because the SOAP message must include enough information to be useful - routing information, for example. Selectively encrypting data in the SOAP message is useful, however. Certain information may be hidden from SOAP intermediaries as it travels from the originator to the destination Web Service.
XML Security: Implement security layers, Part 2 - Core technologies -- XML encryption and XML signature [Ve03b] The primary objectives of XML encryption are:
  • Support the encryption of any arbitrary digital content, including XML documents
  • Ensure that the encrypted data, whether it's in transit or in storage, cannot be accessed by unauthorized persons
  • Maintain the security of the data even beyond one message hop -- meaning, the security of the data is persisted not only when the data is being transferred (which is what SSL guarantees), but also when the data is at rest at a particular node
  • Represent the encrypted data in XML form
  • Make it possible for portions of the XML to be selectively encrypted

Encryption Granularity

Article foundFact
XML security : Implement security layers, Part 1 - Basic plumbing technologies [Ve03a] Encryption granularity can be further refined by specifying whether the encryption is of type element or content

  • element: encrypts the entire element, including attributes, and replaces it with an EncryptedData element
  • content: only the child nodes of the element are encrypted and replaced with an EncryptedData element
Exploring XML Encryption, Part 2 - Implement an XML Encryption engine [Si02b] with the XML Encryption specification, you can re-encrypt an XML-encrypted file which results in a super-encrypted XML file . But, you cannot encrypt a particular child of the EncryptedData or EncryptedKey elementsusing XML encryption. In other words, an EncryptedData element cannot be the parent or child of another EncryptedData element.

Advantages over SSL

Article foundFact
XML Security: Implement security layers, Part 2 - Core technologies -- XML encryption and XML signature [Ve03b] Using SSL over HTTP, the entire message gets encrypted; the whole message is then decrypted at the first destination and is open for snooping before it is encrypted again as a whole for the second hop. The encryption offered by SSL over HTTP only exists for the duration of transit and is not persistent.

XML-Elements

Article foundFact
XML Security: Implement security layers, Part 2 - Core technologies -- XML encryption and XML signature [Ve03b]
<EncryptedData> contains all of the encrypted content other than the encryption key
<EncryptedKey> contains the encrypted key (when encrypted)

Samples

Article foundSample
Secure Web services [Sh03] 
<purchaseOrder>
 	<name>Alice Smith</name>
 	<address> ... </address>

 	<EncryptedData xmlns='http://www.w3.org/2000/11/temp-xmlenc'>
		<EncryptionMethod Algorithm="urn:nist-gov:tripledes-ede-cbc">
			<s0:IV xmlns:s0='http://somens'>ABCD</s0:IV>
		</EncryptionMethod>
		<KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'>
			<KeyName>SharedKey</KeyName>
		</KeyInfo>
		<CipherData>A23B45C56</CipherData>
	</EncryptedData>

	<prodNumber>8a32gh19908</prodNumber>
	<quantity>1</quantity>
</purchaseOrder>