xml encryption

1

XML Encryption

Notes from http://www-106.ibm.com/developerworks/library/x-encrypt/index.html by Bilal Siddiqui

And “Secure XML” by Eastlake and Niles Addison Wesley

2

Not a replacement for SSL

• XML Encryption adds

Encrypting part of the data being exchanged

Secure sessions between more than two parties

3

General Form 1

<EncryptedData>

<CipherData>

<CipherValue>

Cipher Text Gibberish in Base 64

</CipherValue>

</CipherData>

</EncryptedData>

4

General Form 2

<EncryptedData>

<CipherData>

<CipherReference>

pointer (URL) to gibberish

</CipherReference>

</CipherData>

</EncryptedData>

5

• Replaces the encrypted element or

• Serves as the new document root

• May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature)

EncryptedData is the core element

6

General Example (1)

<MedInfo> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial></MedInfo>

7

General Example (2)

<MedInfo> <ID>….</ID> <EncryptedData> <KeyInfo> <KeyName>Medical </KeyInfo> <CipherData> <CipherValue> gibberish </EncryptedData>

8

General Example (3)

<Financial> <EncryptedData> <KeyInfo> <KeyName>Pay </KeyInfo> <CipherData> <CipherValue> gibberish

</EncryptedData></Finacial>

</MedInfo>

9

Detailed Example (Listing 1)

<purchaseOrder>

<Order>

<Item>book</Item>

<Id>123-958-74598</Id>

<Quantity>12</Quantity>

</Order>

<Payment>

<CardId>123654-8988889-9996874</CardId>

<CardName>visa</CardName>

<ValidDate>12-10-2004</ValidDate>

</Payment>

</purchaseOrder>

10

Encrypting the Entire File (Listing 2)

<?xml version='1.0' ?>

<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'>

<CipherData>

<CipherValue>A23B45C56</CipherValue>

</CipherData>

</EncryptedData>

IANA = Internet Assigned Numbers Authority a function of The Internet Corporationfor Assigned Names and Numbers

11

Encrypting The Payment (Listing 3)

<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder>

One element

12

Encrypting Only the CardId (Listing 4)

<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder>

13

Encrypting Non-XML Data(Listing 5)

<?xml version='1.0' ?>

<EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#'

Type='http://www.isi.edu/in-notes/iana/assignments/media-types/jpeg' >

<CipherData>

<CipherValue>A23B45C56</CipherValue>

</CipherData>

</EncryptedData>

14

Sending a public key(listing 6)<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Muhammad Imran" xmlns='http://www.w3.org/2001/04/xmlenc#'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyValue>1asd25fsdf2dfdsfsdfds2f1sd23 </ds:KeyValue> </ds:KeyInfo> </EncryptedKey></SecureCommunicationDemonstration>

15

Receiving a secret key encrypted to the public key (listing 7)

<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Imran Ali" xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <CipherData> <CipherValue>xyza21212sdfdsfs7989fsdbc </CipherValue> </CipherData> </EncryptedKey></SecureCommunicationDemonstration>

16

Data Encrypted to Secret Key (Listing 8)

<?xml version='1.0' ?> <<SecureCommunicationDemonstration> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> <CardName>Visa</CardName> <ExpDate>10-10-2005</ExpDate> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc '/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </Order> </SecureCommunicationDemonstration>

17

The future ?

• Use XMLEncryption

• Use XMLSignature

• Use a new Public Key Infrastructure

18

XKMSPKI HOST

XMK Key Management Specification

Holds keys, certificates and certificate revocation list

Signer

VerifierSigned document

(SOAP)

Verify signatureX-KISSXML Key Information Service Specification

Register keyRevoke CertificateRecover KeyX-KRSSXML Key Registration Service Specification

Signer generates key pair or requests the pair from the PKI host Key registration request Certificate sent to Signer Signed document sent to Verifier Verifier requests certificate from PKI host Key and certificate sent to Verifier

(SO

AP

)(S

OA

P)

The Signer may request that a certificate be revokedThe Signer may request copy

of lost keys