Scribd
Upload
168 views

XML Encryption: Netaji Subhash Engineering College

This document provides an overview of XML encryption. It defines XML encryption, describes its development to address limitations of SSL/TLS, and outlines three common encryption procedures: symmetric, asymmetric-symmetric combination, and X.509 certificates. The document also discusses two approaches for storing encrypted data and provides an example of encrypting an XML element using asymmetric encryption.

Uploaded by

Sayan_tan
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
168 views

XML Encryption: Netaji Subhash Engineering College

This document provides an overview of XML encryption. It defines XML encryption, describes its development to address limitations of SSL/TLS, and outlines three common encryption procedures: symmetric, asymmetric-symmetric combination, and X.509 certificates. The document also discusses two approaches for storing encrypted data and provides an example of encrypting an XML element using asymmetric encryption.

Uploaded by

Sayan_tan
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 10

XML ENCRYPTION

NETAJI SUBHASH ENGINEERING COLLEGE

SAYANTAN BHATTACHARYA

CSE, 4TH YEAR

UNIV ROLL: 071090101012

UNIV REG NO: 071090101101012


XML ECRYPTION
Definition of xml encryption.
XML Encryption provides end-to-end security for applications that require secure exchange of
structured data. XML itself is the most popular technology for structuring data, and therefore
XML-based encryption is the natural way to handle complex requirements for security in data
interchange applications.

Reason behind its development.

Currently, Transport Layer Security (TLS) is the de facto standard for secure communication
over the Internet. TLS is an end-to-end security protocol that follows the famous Secure Socket
Layer (SSL). SSL was originally designed by Netscape, and its version 3.0 was later adapted by
the Internet Engineering Task Force (IETF) while they were designing TLS. This is a very secure
and reliable protocol that provides end-to-end security sessions between two parties. XML
Encryption is not intended to replace or supersede SSL/TLS. Rather, it provides a mechanism for
security requirements that are not covered by SSL. The following are two important areas not
addressed by SSL:

 Encrypting part of the data being exchanged


 Secure sessions between more than two parties

With XML Encryption, each party can maintain secure or insecure states with any of the
communicating parties. Both secure and non-secure data can be exchanged in the same
document. For example, think of a secure chat application containing a number of chat rooms
with several people in each room. XML-encrypted files can be exchanged between chatting
partners so that data intended for one room will not be visible to other rooms.

Brief description.

There are three procedures to XML Encryption.

1. SYMMETRIC ENCRYPTION

Only one session key is used and it’s the same key that encrypts the xml which is used to decrypt
it. The key is not stored with the encrypted xml and so the key needs to be loaded during the
process and protected when stored.

2. COMBINATION OF ASYMMETRIC AND SYMMETRIC ENCRYPTION


The dual approach requires a symmetric session key to encrypt the data and an asymmetric key
to protect the session key. Both the encrypted session key and the encrypted data are stored
together in the xml document. The public asymmetric key is used to encrypt the session key
while the private asymmetric key is used to decrypt the key.

3. X.509 CERTIFICATE.

This approach uses a X.509 certificate as the symmetrical key. X.509 certificates are provided by
a third party vendor such as VeriSign.

Approaches

Xml encryption, regardless of how the encryption is performed, can store the encrypted data in
one of two ways.

1. After encryption the whole element is replaced with an element named


<EncryptedData>.
2. After encryption only the data in the element is replaced and its name remains readable
in the document.

The difference is very subtle but it’s rather important. For example:

Your xml document contains a root element called <employee> that contains a child element
called <WrittenWarning> in which details of disciplinary action is stored. If you were sending
this xml and wanted the <WrittenWarning> elements details protected with approach 1 the
<WrittenWarning> is replaced with an element called <EncryptedData> and no information
can be gathered from the document.

With approach 2 however the <WrittenWarning> element stays and only the data is encrypted.
Anyone who intercepted this document might not know the specific details of the discipline
action but they will still know that something has happened with that employee. Any attributes
on the <WrittenWarning> element are also not encrypted.

So the approach you take depends on what the data is and how much information you want to
give away. In .NET v2.0 deciding on which approach to take is specified using a Boolean value
and can be easily modified.

Example of XML Encryption

Below is an example of XML encryption using the asymmetric approach where the author
element in the xml document is replaced with an <EncryptedData> element.

The XML Document

01.<?xml version="1.0" standalone="no"?>


02.<article>

03.  <articleinfo>

04.    <title>XPath Queries on XmlDocument objects in .NET 1.1</title>

05.    <abstract>

06.      <para>This article covers the basics.</para>

07.    </abstract>

08.    <author>

09.      <honorific>Mr.</honorific>

10.      <firstname>George</firstname>

11.      <surname>James</surname>

12.      <email>[email protected]</email>

13.    </author>

14.  </articleinfo> 

15.</article>

XPath expression = /article/articleinfo/author

The encrypted XML Document

01.<?xml version="1.0" standalone="no"?>

02.<article>

03.  <articleinfo>

04.    <title>XPath Queries on XmlDocument objects in .NET 1.1</title>

05.    <abstract>

06.      <para>This article covers the basics.</para>

07.      <para>This article does not cover.</para>

08.    </abstract>

09.    <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"

10.        xmlns="http://www.w3.org/2001/04/xmlenc#">
11.      <EncryptionMethod

12.           Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" />

13.      <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

14.        <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">

15.          <EncryptionMethod

16.               Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />

17.          <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">

18.            <KeyName>session</KeyName>

19.          </KeyInfo>

20.          <CipherData>

21.            <CipherValue>r4f7SI1aZKSvibb…CipherValue>

22.          </CipherData>

23.        </EncryptedKey>

24.      </KeyInfo>

25.      <CipherData>

26.        <CipherValue>sGNhKqcSovipJdOFCFKYEEMRFd…</CipherValue>

27.      </CipherData>

28.    </EncryptedData>

29.  </articleinfo>

30.</article>

The author element and its children have been replaced with the <EncryptedData> element
which contains a number of other elements that are used to describe the encrypted data, i.e. the
encryption algorithms used, the session key used, etc.

The <EncryptedData> element

Looking at the tree hierarchy of the <EncryptedData> element you can see the
<EncryptedData> element is broken down into a number of child elements. The <KeyInfo>
element is the same as the <KeyInfo> element used in XML Digital Signatures.
The EncryptedData element is contained in the "http://www.w3.org/2001/04/xmlenc#”
namespace. It is the root of the encrypted data.

The EncryptionMethod element is used to specify the symmetric method used when encrypting
the data. It does this by using an Algorithm attribute containing a W3 URL that describes the
method used. "http://www.w3.org/2001/04/xmlenc#aes256-cbc" indicates the data was encrypted
using AES (Rijndael) with a 256k key size.

The KeyInfo element is borrowed from XML Digital Signatures and is used to store information
about the symmetric keys. The KeyInfo element can store information about more than one key.

The EncryptedKey element and its child elements contain information about one key stored in a
KeyInfo element.

The EncryptionMethod element of the KeyInfo contains the asymmetric encryption method
used to encrypt the session key. It does this using an Algorithm attribute set to a W3 URL. For
example: http://www.w3.org/2001/04/xmlenc#RSA-1_5 describes that RSA asymmetric
encryption was used to encrypt the session key.

The KeyName element is an identifier used to find the key. You’ll see the importance of this later
when it comes to coding XML Encryption.

The CipherData and CipherValue elements that are found as part of the EncryptedKey
and EncryptedData elements contain the cipher data. The actual cipher data is stored in the
CipherValue element. The EncryptedKey element stores the encrypted key, while in the
encrypted data is stored in the CipherValue for the EncryptedData element.
Asymmetric XML encryption & decryption process
Asymmetric XML Encryption Process

The process of XML encryption can be summarized in five steps:

1. Select an element in an XML document (selecting the root will encrypt the whole
document).
2. Encrypt the element using a symmetric encryption key, known as the session key.
3. Encrypt the session key using asymmetric encryption (the public key is used).
4. Create an EncryptedData element which will contain the encrypted data and the
encrypted session key.
5. Replace the original element
with the EncryptedData
element. Most of the steps are Namespaces
performed automatically for
you by .NET v2.0 classes. The classes needed to perform XML Encryption can be found in
three namespaces.
Asymmetric XML Decryption
Process  System.Xml – contains XML classes that are needed to contain
XML data.
 System.Security.Cryptography – contains encryption classes
The process of decrypting the XML used to generate encryption keys.
can be summarized into four steps,  System.Security.Cryptography.Xml – contains XML Encryption
classes that are used to perform the encryption.
1. Select the EncryptedData
element in an XML document
2. Decrypt the session key using
an asymmetric key (the private key is used)
3. Decrypt the cipher data using the unencrypted symmetric encryption.
4. Replace the EncryptedData element with the unencrypted element.

XML Encryption implementation details

Two methods have been added to service the encryption requirements of different types of data
(encryption granularity):

 encryptElementOfXmlFile for encrypting a particular element in the XML file


 encryptElementContentOfXmlFile for encrypting the content of a particular element in
the XML file

An online book-buyer can secure the sensitive information in the purchase order by employing
any of the following three XML encryption methods:

1. Encrypt a complete XML file


2. Encrypt an element in an XML file
3. Encrypt an element's content in an XML file

1. Encrypt a complete XML file with XML Encryption

The book-buyer can encrypt the entire Order.xml file to produce an XML-encrypted file, which
can then be sent to the publisher's sales department. Although this provides relevant security
through the end-to-end communication link, the book-buyer's security policy is violated. This
policy requires concealing the payment information in the sales department and revealing it in
the accounts department. In this case, the whole XML document is decrypted by the sales
department and the payment information is disclosed. Therefore this approach does not seem
suitable, although it can be practical if you use super encryption.

2. Encrypt an element in an XML file with XML Encryption

The book-buyer can encrypt the payment information


portion of the XML file with the accounts Super encryption
department's secret key, and keep the rest of the file
content unencrypted for the sales department to view. When you use super encryption, you can
encrypt just the payment information with
This processing can be performed by encrypting the the accounts department's secret key to
Payment element in the Order.xml file. The credit produce an element-encrypted XML file.
card information becomes secure. Since the security This resultant file is then completely
encrypted using the sales department's
requirement dictates that the means of payment (such secret key, thus resulting in a super-
as credit card or bank check) must be hidden from encrypted XML file.
unauthorized viewers, encrypting the Payment
element pays off.

3. Encrypt an element's content in an XML file with


XML Encryption

The third encryption option the books-seller can exercise is to encrypt only the credit card
number in Order.xml. The element content encryption method is invoked, which encrypts only
the textual content of the card number. This raises an important question: Why do you need to
come up with content encryption when the same can be accomplished using element encryption?
The use of either method depends on the security policy for the document; if there is a specific
need to disclose the name of the element or its attributes, while keeping its content secure,
content encryption comes in handy.
5. Algorithms used for XML encryption.

This section discusses algorithms used with the XML Encryption specification. Entries contain
the identifier to be used as the value of the Algorithm attribute of the EncryptionMethod
element or other element representing the role of the algorithm, a reference to the formal
specification, definitions for the representation of keys and the results of cryptographic
operations where applicable, and general applicability comments.

Table of Algorithms

The table below lists the categories of algorithms. Within each category, a brief name, the level
of implementation requirement, and an identifying URI are given for each algorithm.

Block Encryption

1. REQUIRED TRIPLEDES
2. REQUIRED AES-128
3. REQUIRED AES-256
4. OPTIONAL AES-192

Stream Encryption

1. none

Key Transport

1. REQUIRED RSA-v1.5
2. REQUIRED RSA-OAEP

Key Agreement

1. OPTIONAL Diffie-Hellman

Symmetric Key Wrap

1. REQUIRED TRIPLEDES KeyWrap


2. REQUIRED AES-128 KeyWrap
3. REQUIRED AES-256 KeyWrap
4. OPTIONAL AES-192 KeyWrap
Message Digest

1. REQUIRED SHA1
2. RECOMMENDED SHA256
3. OPTIONAL SHA512
4. OPTIONAL RIPEMD-160

Message Authentication

1. RECOMMENDED XML Digital Signature

Canonicalization

1. OPTIONAL Canonical XML (omits comments)


2. OPTIONAL Canonical XML with Comments
3. OPTIONAL Exclusive XML Canonicalization (omits comments)
4. OPTIONAL Exclusive XML Canonicalization with Comments

Encoding

1. REQUIRED base64

6. Conxlusion.

XML Encryption is a W3 Standard to encrypting XML. It does this in such a way that the
encrypted data remains and can be treated as XML. It uses both asymmetric and symmetric
encryption algorithms, symmetric to encrypt the data and asymmetric to encrypt the symmetric
session key. Both the session key and the cipher data are stored together in an XML element
called EncryptedData. The EncryptedData element contains a series of child elements that
describe the algorithms used during the encryption process, as well as containing key
information and the cipher data.

You might also like