Download - XML Encryption
1
XML Encryption
Notes from http://www-106.ibm.com/developerworks/library/x-encrypt/index.html by Bilal Siddiqui
And “Secure XML” by Eastlake and Niles Addison Wesley
2
Not a replacement for SSL
• XML Encryption adds
Encrypting part of the data being exchanged
Secure sessions between more than two parties
3
General Form 1
<EncryptedData>
<CipherData>
<CipherValue>
Cipher Text Gibberish in Base 64
</CipherValue>
</CipherData>
</EncryptedData>
4
General Form 2
<EncryptedData>
<CipherData>
<CipherReference>
pointer (URL) to gibberish
</CipherReference>
</CipherData>
</EncryptedData>
5
• Replaces the encrypted element or
• Serves as the new document root
• May contain a KeyInfo element that describes the key needed for decryption (borrowed from XML Digital Signature)
EncryptedData is the core element
6
General Example (1)
<MedInfo> <ID> <Name> <Address> </ID> <Medical>…</Medical> <Financial>…</Financial></MedInfo>
7
General Example (2)
<MedInfo> <ID>….</ID> <EncryptedData> <KeyInfo> <KeyName>Medical </KeyInfo> <CipherData> <CipherValue> gibberish </EncryptedData>
8
General Example (3)
<Financial> <EncryptedData> <KeyInfo> <KeyName>Pay </KeyInfo> <CipherData> <CipherValue> gibberish
</EncryptedData></Finacial>
</MedInfo>
9
Detailed Example (Listing 1)
<purchaseOrder>
<Order>
<Item>book</Item>
<Id>123-958-74598</Id>
<Quantity>12</Quantity>
</Order>
<Payment>
<CardId>123654-8988889-9996874</CardId>
<CardName>visa</CardName>
<ValidDate>12-10-2004</ValidDate>
</Payment>
</purchaseOrder>
10
Encrypting the Entire File (Listing 2)
<?xml version='1.0' ?>
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.isi.edu/in-notes/iana/assignments/media-types/text/xml'>
<CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>
IANA = Internet Assigned Numbers Authority a function of The Internet Corporationfor Assigned Names and Numbers
11
Encrypting The Payment (Listing 3)
<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </PurchaseOrder>
One element
12
Encrypting Only the CardId (Listing 4)
<?xml version='1.0' ?> <PurchaseOrder> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> </Order> <Payment> <CardId> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Content' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </CardId> <CardName>visa</CardName> <ValidDate>12-10-2004</CardName> </Payment> </PurchaseOrder>
13
Encrypting Non-XML Data(Listing 5)
<?xml version='1.0' ?>
<EncryptedData xmlns='http://www.w3.org/2001/04/xmlen#'
Type='http://www.isi.edu/in-notes/iana/assignments/media-types/jpeg' >
<CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>
14
Sending a public key(listing 6)<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Muhammad Imran" xmlns='http://www.w3.org/2001/04/xmlenc#'> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyValue>1asd25fsdf2dfdsfsdfds2f1sd23 </ds:KeyValue> </ds:KeyInfo> </EncryptedKey></SecureCommunicationDemonstration>
15
Receiving a secret key encrypted to the public key (listing 7)
<?xml version='1.0' ?> <SecureCommunicationDemonstration> <EncryptedKey CarriedKeyName="Imran Ali" xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm= "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <CipherData> <CipherValue>xyza21212sdfdsfs7989fsdbc </CipherValue> </CipherData> </EncryptedKey></SecureCommunicationDemonstration>
16
Data Encrypted to Secret Key (Listing 8)
<?xml version='1.0' ?> <<SecureCommunicationDemonstration> <Order> <Item>book</Item> <Id>123-958-74598</Id> <Quantity>12</Quantity> <CardName>Visa</CardName> <ExpDate>10-10-2005</ExpDate> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc '/> <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:KeyName>Imran ali</ds:KeyName> </ds:KeyInfo> <CipherData> <CipherValue>A23B45C564587</CipherValue> </CipherData> </EncryptedData> </Order> </SecureCommunicationDemonstration>
17
The future ?
• Use XMLEncryption
• Use XMLSignature
• Use a new Public Key Infrastructure
18
XKMSPKI HOST
XMK Key Management Specification
Holds keys, certificates and certificate revocation list
Signer
VerifierSigned document
(SOAP)
Verify signatureX-KISSXML Key Information Service Specification
Register keyRevoke CertificateRecover KeyX-KRSSXML Key Registration Service Specification
Signer generates key pair or requests the pair from the PKI host Key registration request Certificate sent to Signer Signed document sent to Verifier Verifier requests certificate from PKI host Key and certificate sent to Verifier
(SO
AP
)(S
OA
P)
The Signer may request that a certificate be revokedThe Signer may request copy
of lost keys