Copyright © 2002 W3C® (MIT, INRIA, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.
This document specifies a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption element which contains or references the cipher data.
This specification from the XML Encryption Working Group (Activity) is a Candidate Recommendation of the W3C. The Working Group believes this specification incorporates the resolution of all last call issues; furthermore it considers the specification to be stable and invites implementation feedback during this period.
The exit criteria for this phase is at least two interoperable implementations over every feature, one implementation of all features, and one report of satisfaction in an application context (e.g., SOAP, SAML, etc.) Note, this specification already has significant implementation experience which will soon be reflected in its Interoperability Report. We expect to meet all requirements of that report within the two month Candidate Recommendation period (closing April 25). Specific areas where we would appreciate further experience are:
Publication of this document does not imply endorsement by the W3C membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite a W3C Working Draft as anything other than a "work in progress." A list of current W3C working drafts can be found at http://www.w3.org/TR/.
Please send comments to the editors (<[email protected]>, <[email protected]>) and cc: the list [email protected] (publicly archived).
Patent disclosures relevant to this specification may be found on the Working Group's patent disclosure page in conformance with W3C policy.
This document specifies a process for encrypting data and representing the
result in XML. The data may be arbitrary data (including an XML document), an
XML element, or XML element content. The result of encrypting data is an XML
Encryption EncryptedData
element which contains (via one of its
children's content) or identifies (via a URI reference) the cipher data.
When encrypting an XML element or element content the
EncryptedData
element replaces the element or content
(respectively) in the encrypted version of the XML document.
When encrypting arbitrary data (including entire XML documents), the
EncryptedData
element may become the root of a new XML document
or become a child element in an application-chosen XML document.
This specification uses XML schemas [XML-schema] to describe the content model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in RFC2119 [KEYWORDS]:
"they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions)"
Consequently, we use these capitalized keywords to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations. These key words are not used (capitalized) to describe XML grammar; schema definitions unambiguously describe such requirements and we wish to reserve the prominence of these terms for the natural language descriptions of protocols and features. For instance, an XML attribute might be described as being "optional." Compliance with the XML-namespace specification [XML-NS] is described as "REQUIRED."
The design philosophy and requirements of this specification are addressed in the XML Encryption Requirements document [EncReq].
No provision is made for an explicit version number in this syntax. If a future version is needed, it will use a different namespace. The experimental XML namespace [XML-NS] URI that MUST be used by implementations of this (dated) specification is:
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
This namespace is also used as the prefix for algorithm identifiers used
by this specification. While applications MUST support XML and XML
namespaces, the use of internal entities
[XML, section 4.2.1] or our &xenc;
entity or "xenc
" XML namespace
prefix [XML-NS, section 2] and
defaulting/scoping conventions are OPTIONAL; we use these facilities to
provide compact and readable examples.
This specification makes use of the XML Signature [XML-DSIG] namespace and schema definitions
xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
URIs [URI] MUST abide by the [XML-Schema] anyURI
type definition
and the [XML-DSIG, 4.3.3.1
The URI Attribute] specification (i.e., permitted characters, character
escaping, scheme support, etc.).
The contributions of the following Working Group members to this specification are gratefully acknowledged in accordance with the contributor policies and the active WG roster.
Additionally, we thank the following for their comments during and subsequent to Last Call:
This section provides an overview and examples of XML Encryption syntax. The formal syntax is found in Encryption Syntax (section 3); the specific processing is given in Processing Rules (section 4).
Expressed in shorthand form, the EncryptedData
element has the following
structure (where "?" denotes zero or one occurrence; "+" denotes one or more
occurrences; "*" denotes zero or more occurrences; and the empty element tag
means the element must be empty ):
<EncryptedData Id? Type?> <EncryptionMethod/>? <ds:KeyInfo> <EncryptedKey>? <AgreementMethod>? <ds:KeyName>? <ds:RetrievalMethod>? <ds:*>? </ds:KeyInfo>? <CipherData> <CipherValue>? <CipherReference URI?>? </CipherData> <EncryptionProperties>? </EncryptedData>
The CipherData
element envelopes or references the raw
encrypted data. If enveloping, the raw encrypted data is the
CipherValue
element's content; if referencing, the
CipherReference
element's URI
attribute points to
the location of the raw encrypted data
Consider the following fictitious payment information, which includes identification information and information appropriate to a payment method (e.g., credit card, money transfer, or electronic check):
<?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number>4019 2445 0277 5567</Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCar
d> </PaymentInf
o>
This markup represents that John Smith is using his credit card with a limit of $5,000USD.
Smith's credit card number is sensitive information! If the application
wishes to keep that information confidential, it can encrypt the
CreditCard
element:
<?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherDat
a> </EncryptedDat
a> </PaymentInf
o>
By encrypting the entire CreditCard
element from its start to
end tags, the identity of the element itself is hidden. (An eavesdropper
doesn't know whether he used a credit card or money transfer.) The
CipherData
element contains the encrypted serialization of the
CreditCard
element.
As an alternative scenario, it may be useful for intermediate agents to
know that John used a credit card with a particular limit, but not the card's
number, issuer, and expiration date. In this case, the content (character
data or children elements) of the CreditCard
element is
encrypted:
<?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherDat
a> </EncryptedDat
a> </CreditCar
d> </PaymentInf
o>
Or, consider the scenario in which all the information except the actual credit card number can be in the clear, including the fact that the Number element exists:
<?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherDat
a> </EncryptedDat
a> </Number> <Issuer>Example Bank</Issuer> <Expiration>04/02</Expiration> </CreditCar
d> </PaymentInf
o>
Both CreditCard
and Number
are in the clear, but
the character data content of Number
is encrypted.
If the application scenario requires all of the information to be encrypted, the whole document is encrypted as an octet sequence. This applies to arbitrary data including XML documents.
<?xml version='1.0'?> <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' MimeType='text/xml'> <CipherData> <CipherValue>A23B45C56</CipherValue> </CipherDat
a> </EncryptedDat
a>
An XML document may contain zero or more EncryptedData
elements. EncryptedData
cannot be the parent or child of another
EncryptedData
element. However, the actual data encrypted can be
anything, including EncryptedData
and EncryptedKey
elements (i.e., super-encryption). During super-encryption of an
EncryptedData
or EncryptedKey
element, one must
encrypt the entire element. Encrypting only the content of these elements, or
encrypting selected child elements is an invalid instance under the provided
schema.
For example, consider the following:
<pay:PaymentInfo
xmlns:pay='http://example.org/paymentv2'> <EncryptedData Id='ED1' xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'> <CipherData> <CipherValue>original
EncryptedData</CipherValue> </CipherDat
a> </EncryptedDat
a> </pay:PaymentInf
o>
A valid super-encryption of "//xenc:EncryptedData[@Id='ED1']
"
would be:
<pay:PaymentInfo
xmlns:pay='http://example.org/paymentv2'> <EncryptedData Id='ED2' xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'> <CipherData> <CipherValue>new
EncryptedData</CipherValue> </CipherDat
a> </EncryptedDat
a> </pay:PaymentInf
o>
where the CipherValue
content of
'newEncryptedData
' is the base64 encoding of the encrypted octet
sequence resulting from encrypting the EncryptedData
element
with Id='ED1'
.
EncryptedData
and EncryptedKey
UsageEncryptedData
with Symmetric Key (KeyName
)[s1] <EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Element'/> [s2] <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#3des-cbc'/> [s3] <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> [s4] <ds:KeyName
>John Smith</ds:KeyNam
e> [s5] </ds:KeyInf
o> [s6] <CipherData><CipherValue>DEADBEEF</CipherValue></CipherDat
a> [s7] </EncryptedDat
a>
[s1]
The type of data encrypted may be represented as an
attribute value to aid in decryption and subsequent processing. In this case,
the data encrypted was an 'element'. Other alternatives include 'content' of
an element, or an external octet sequence which can also be identified via
the MimeType
and Encoding
attributes.
[s2]
This (3DES CBC) is a symmetric key cipher.
[s4]
The symmetric key has an associated name "John
Smith".
[s6]
CipherData
contains a
CipherValue
, which is a base64 encoded octet sequence.
Alternately, it could contain a CipherReference
, which is a URI
reference along with transforms necessary to obtain the encrypted data as an
octet sequence
EncryptedKey
(ReferenceList
, ds:RetrievalMethod
,
CarriedKeyName
)The following EncryptedData
structure is very similar to the
one above, except this time the key is referenced using a
ds:RetrievalMethod
:
[t01] <EncryptedData Id='ED' xmlns='http://www.w3.org/2001/04/xmlenc#'> [t02] <EncryptionMethod Algorithm='http://www.w3.org/2001/04/xmlenc#aes128-cbc'/> [t03] <ds:KeyInfo
xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> [t04] <ds:RetrievalMethod
URI='#EK' Type="http://www.w3.org/2001/04/xmlenc#EncryptedKey"> [t05] <ds:KeyNam
e>Sally Doe</ds:KeyNam
e> [t06] </ds:KeyInf
o> [t07] <CipherData><CipherValue>DEADBEEF</CipherValue></CipherDat
a> [t08] </EncryptedDat
a>
[t02]
This (AES-128-CBC) is a symmetric key cipher.
[t04]
ds:RetrievalMethod
is used to indicate the
location of a key with type &xenc;EncryptedKey
. The (AES)
key is located at '#EK'.
[t05]
ds:KeyName
provides an alternative method
of identifying the key needed to decrypt the CipherData
. Either
or both the ds:KeyName
and ds:KeyRetrievalMethod
could be used to identify the same key.
Within the same XML document, there existed an EncryptedKey
structure that was referenced within [t04]
:
[t09] <EncryptedKey Id='EK' xmlns='http://www.w3.org/2001/04/xmlenc#'> [t10] <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> [t11] <ds:KeyInfo
xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> [t12] <ds:KeyNam
e>John Smith</ds:KeyNam
e> [t13] </ds:KeyInf
o> [t14] <CipherData><CipherValue>xyzabc</CipherValue></CipherDat
a> [t15] <ReferenceList> [t16] <DataReference URI='#ED'/> [t17] </ReferenceLis
t> [t18] <CarriedKeyName>Sally Doe</CarriedKeyName> [t19] </EncryptedKe
y>
[t09]
The EncryptedKey
element is similar to the
EncryptedData
element except that the data encrypted is always a
key value.
[t10]
The EncryptionMethod
is the RSA public key
algorithm.
[t12]
ds:KeyName
of "John Smith" is a property
of the key necessary for decrypting (using RSA) the
CipherData
.
[t14]
The CipherData
's CipherValue
is an octet sequence that is processed (serialized, encrypted, and encoded)
by a referring encrypted object's EncryptionMethod
. (Note, an
EncryptedKey's EncryptionMethod
is the algorithm used to encrypt
these octets and does not speak about what type of octets they are.)
[t15-17]
A ReferenceList
identifies the
encrypted objects (DataReference
and KeyReference
)
encrypted with this key. The ReferenceList
contains a list of
references to data encrypted by the symmetric key carried within this
structure.
[t18]
The CarriedKeyName
element is used to
identify the encrypted key value which may be referenced by the
KeyName
element in ds:KeyInfo
. (Since ID attribute
values must be unique to a document,CarriedKeyName
can indicate
that several EncryptedKey
structures contain the same key value
encrypted for different recipients.)
This section provides a detailed description of the syntax and features for XML Encryption. Features described in this section MUST be implemented unless otherwise noted. The syntax is defined via [XML-Schema] with the following XML preamble, declaration, internal entity, and import:
Schema Definition:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE schema PUBLIC "-//W3C//DTD XMLSchema 200102//EN"
"http://www.w3.org/2001/XMLSchema.dtd"
[
<!ATTLIST schema
xmlns:xenc CDATA #FIXED 'http://www.w3.org/2001/04/xmlenc#'
xmlns:ds CDATA #FIXED 'http://www.w3.org/2000/09/xmldsig#'>
<!ENTITY xenc 'http://www.w3.org/2001/04/xmlenc#'>
<!ENTITY % p ''>
<!ENTITY % s ''>
]>
<schema xmlns='http://www.w3.org/2001/XMLSchema' version='1.0'
xmlns:ds='http://www.w3.org/2000/09/xmldsig#'
xmlns:xenc='http://www.w3.org/2001/04/xmlenc#'
targetNamespace='http://www.w3.org/2001/04/xmlenc#'
elementFormDefault
='qualified'>
<import namespace='http://www.w3.org/2000/09/xmldsig#'
schemaLocation='http://www.w3.org/TR/2001/CR-xmldsig-core-20010419/xmldsig-core-schema.xsd'/>
EncryptedType
EncryptedType
is the abstract type from which
EncryptedData
and EncryptedKey
are derived. While
these two latter element types are very similar with respect to their content
models, a syntactical distinction is useful to processing. Implementation
MUST generate laxly schema valid [XML-schema]
EncryptedData
or EncryptedKey
as specified by the
subsequent schema declarations. (Note the laxly schema valid generation means
that the content permitted by xsd:ANY
need not be valid.)
Implementations SHOULD create these XML structures
(EncryptedType
elements and their descendents/content) in
Normalization Form C [NFC, NFC-Corrigendum].
Schema Definition: <complexType name='EncryptedType
' abstract='true'> <sequence> <element name='EncryptionMethod
' type='xenc:EncryptionMethodType
' minOccurs='0'/> <element ref='ds:KeyInfo
' minOccurs='0'/> <element ref='xenc:CipherData
'/> <element ref='xenc:EncryptionProperties' minOccurs='0'/> </sequence> <attribute name='Id' type='ID' use='optional'/> <attribute name='Type' type='anyURI' use='optional'/> <attribute name='MimeType' type='string' use='optional'/> <attribute name='Encoding' type='string' use='optional'/> </complexType>
EncryptionMethod
is an optional element that describes the
encryption algorithm applied to the cipher data. If the element is absent,
the encryption algorithm must be known by the recipient or the decryption
will fail.
ds:KeyInfo
is an optional element, defined by [XML-DSIG], that carries information about the key
used to encrypt the data. Subsequent sections of this specification define
new elements that may appear as children of ds:KeyInfo
.
CipherData
is a mandatory element that contains the
CipherValue
or CipherReference
with the encrypted
data.
EncryptionProperties
can contain additional information
concerning the generation of the EncryptedType
(e.g., date/time
stamp).
Id
is an optional attribute providing for the standard method
of assigning a string id to the element within the document context.
Type
is an optional attribute identifying type information
about the plaintext form of the encrypted content. While optional, this
specification takes advantage of it for mandatory processing described in Processing Rules: Decryption (section
4.2). If the EncryptedData
element contains data of
Type
'element' or element 'content', and replaces that data in
an XML document context, it is strongly recommended the Type
attribute be provided. Without this information, the decryptor will be unable
to automatically restore the XML document to its original cleartext form.
MimeType
is an optional (advisory) attribute which describes
the media type of the data which has been encrypted. The value of this
attribute is a string with values defined by [MIME].
For example, if the data that is encrypted is a base64 encoded PNG, the
Encoding
may be specified as 'base64' and the
MimeType
as 'image/png'. This attribute is purely advisory; no
validation of the MimeType
information is required and it does
not indicate the encryption application must do any additional processing.
Note, this information may not be necessary if it is already bound to the
identifier in the Type
attribute. For example, the Element and
Content types defined in this specification are always UTF-8 encoded text.
EncryptionMethod is an optional element that describes the encryption algorithm applied to the cipher data. If the element is absent, the encryption algorithm must be known by the recipient or the decryption will fail.
Schema Definition: <complexType name='EncryptionMethodType' mixed='true'> <sequence> <element name='KeySize' minOccurs='0' type='xenc:KeySizeType'/> <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/> </sequence> <attribute name='Algorithm' type='anyURI' use='required'/> </complexType>
The permitted child elements of the EncryptionMethod
are
determined by the specific value of the Algorithm
attribute URI,
and the KeySize
child element is always permitted. For example,
the RSA-OAEP algorithm (section 5.4.2) uses the
ds:DigestMethod
and OAEPparams
elements. (We rely
upon the ANY
schema construct because it is not possible to
specify element content based on the value of an attribute.)
The presence of any child element under EncryptionMethod
which is not permitted by the algorithm or the presence of a
KeySize
child inconsistent with the algorithm MUST be treated as
an error. (All algorithm URIs specified in this document imply a key size but
this is not true in general. Most popular stream cipher algorithms take
variable size keys.)
CipherData
ElementThe CipherData
is a mandatory element that provides the
encrypted data. It must either contain the encrypted octet sequence as base64
encoded text of the CipherValue
element, or provide a reference
to an external location containing the encrypted octet sequence via the
CipherReference
element.
Schema Definition: <element name='CipherData
' type='xenc:CipherDataType
'/> <complexType name='CipherDataType
'> <choice> <element name='CipherValue
' type='base64Binary'/> <element ref='xenc:CipherReference
'/> </choice> </complexType>
CipherReference
ElementIf CipherValue
is not supplied directly, the
CipherReference
identifies a source which, when processed,
yields the encrypted octet sequence.
The actual value is obtained as follows. The CipherReference
URI
contains an identifier that is dereferenced. Should the
CipherReference
element contain an OPTIONAL sequence of
Transform
s, the data resulting from dereferencing the URI is
transformed as specified so as to yield the intended cipher value. For
example, if the value is base64 encoded within an XML document; the
transforms could specify an XPath expression followed by a base64 decoding so
as to extract the octets.
The syntax of the URI
and Transforms
is similar
to that of [XML-DSIG]. However, there is a
difference between signature and encryption processing. In [XML-DSIG] both generation and validation processing
start with the same source data and perform that transform in the same order.
In encryption, the decryptor has only the cipher data and the specified
transforms are enumerated for the decryptor, in the order necessary to obtain
the octets. Consequently, because it has different semantics
Transforms
is in the &xenc;
namespace.
For example, if the relevant cipher value is captured within a
CipherValue
element within a different XML document, the
CipherReference
might look as follows:
<CipherReference URI="http://www.example.com/CipherValues.xml"> <Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> <ds:XPath xmlns:rep="http://www.example.org/repository"> self::text()[parent::rep:CipherValue[@Id="example1"]] </ds:XPath> </ds:Transform> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#base64"/> </Transforms> </CipherReference>
Implementations MUST support the CipherReference
feature and
the same URI encoding, dereferencing, scheme, and HTTP response codes as that
of [XML-DSIG]. The Transform
feature
and particular transform algorithms are OPTIONAL.
Schema Definition: <element name='CipherReference
' type='xenc:CipherReferenceType
'/> <complexType name='CipherReferenceType
'> <sequence> <element name='Transforms' type='xenc:TransformsType' minOccurs='0'/> </sequence> <attribute name='URI' type='anyURI' use='required'/> </complexType> <complexType name='TransformsType'> <sequence> <element ref='ds:Transform' maxOccurs='unbounded'/> </sequence> </complexType>
EncryptedData
ElementThe EncryptedData
element is the core element in the syntax.
Not only does its CipherData
child contain the encrypted data,
but it's also the element that replaces the encrypted element, or serves as
the new document root.
Schema Definition: <element name='EncryptedData
' type='xenc:EncryptedDataType
'/> <complexType name='EncryptedDataType
'> <complexContent> <extension base='xenc:EncryptedType
'> </extension> </complexContent> </complexType>
ds:KeyInfo
ElementThere are three ways that the keying material needed to decrypt
CipherData
can be provided:
EncryptedData
or EncryptedKey
element
specify the associated keying material via a child of
ds:KeyInfo
. All of the child elements of
ds:KeyInfo
specified in [XML-DSIG] MAY be used as qualified:
ds:KeyValue
to
transport the encryption key is obviously NOT RECOMMENDED.ds:KeyName
to refer to an
EncryptedKey
CarriedKeyName
is
RECOMMENDED.ds:RetrievalMethod
is
REQUIRED.In addition, we provide two additional child elements: applications
MUST support EncryptedKey
(section 3.5.1) and MAY support AgreementMethod
(section 5.5).
ds:KeyInfo
)
EncryptedKey
element can specify the
EncryptedData
or EncryptedKey
to which its
decrypted key will apply via a DataReference
or KeyReference
(section
3.6).EncryptedKey
ElementType="http://www.w3.org/2001/04/xmlenc#EncryptedKey"
(This can be used within a ds:RetrievalMethod
element
to identify the referent's type.)
The EncryptedKey
element is used to transport encryption keys
from the originator to a known recipient(s). It may be used as a stand-alone
XML document, be placed within an application document, or appear inside an
EncryptedData
element as a child of a ds:KeyInfo
element. The key value is always encrypted to the recipient(s). When
EncryptedKey
is decrypted the resulting octets are made
available to the EncryptionMethod
algorithm without any
additional processing.
Schema Definition: <element name='EncryptedKey
' type='xenc:EncryptedKeyType
'/> <complexType name='EncryptedKeyType
'> <complexContent> <extension base='xenc:EncryptedType
'> <sequence> <element ref='xenc:ReferenceList
' minOccurs='0'/> <element name='CarriedKeyName
' type='string' minOccurs='0'/> </sequence> <attribute name='Recipient' type='string' use='optional'/> </extension> </complexContent> </complexType>
ReferenceList
is an optional element containing pointers to
data and keys encrypted using this key. The reference list may contain
multiple references to EncryptedKey
and
EncryptedData
elements. This is done using
KeyReference
and DataReference
elements
respectively. These are defined below.
CarriedKeyName
is an optional element for associating a user
readable name with the key value. This may then be used to reference the key
using the ds:KeyName
element within ds:KeyInfo
. The
same CarriedKeyName
label, unlike an ID type, may occur multiple
times within a single document. The value of the key is to be the same in all
EncryptedKey
elements identified with the same
CarriedKeyName
label within a single XML document. Note that
because whitespace is significant in the value of the ds:KeyName
element, whitespace is also significant in the value of the
CarriedKeyName
element.
Recipient
is an optional attribute that contains a hint as to
which recipient this encrypted key value is intended for. Its contents are
application dependent.
The Type
attribute inheritted from EncryptedType
can be used to further specify the type of the encrypted key if the
EncryptionMethod
Algorithm
does not define a
unambiguous encoding/representation. (Note, all the algorithms in this
specification have an unambigous representation for their associated key
structures.)
ds:RetrievalMethod
ElementThe ds:RetrievalMethod
[XML-DSIG]
with a Type
of
'http://www.w3.org/2001/04/xmlenc#EncryptedKey
' provides a way
to express a link to an EncryptedKey
element containing the key
needed to decrypt the CipherData
associated with an
EncryptedData
or EncryptedKey
element. The
ds:RetrievalMethod
with this type is always a child of the
ds:KeyInfo
element and may appear multiple times. If there is
more than one instance of a ds:RetrievalMethod
in a
ds:KeyInfo
of this type, then the EncryptedKey
objects referred to must contain the same key value, possibly encrypted in
different ways or for different recipients.
Schema Definition:
<!--
<attribute name='Type' type='anyURI' use='optional'
fixed='http://www.w3.org/2001/04/xmlenc#EncryptedKey
' />
-->
ReferenceList
ElementReferenceList
is an element that contains pointers from a key
value of an EncryptedKey
to items encrypted by that key value
(EncryptedData
or EncryptedKey
elements).
Schema Definition: <element name='ReferenceList
'> <complexType> <choice> <element name='DataReference
' type='xenc:ReferenceType
' minOccurs='0' maxOccurs='unbounded'/> <element name='KeyReference
' type='xenc:ReferenceType
' minOccurs='0' maxOccurs='unbounded'/> </choice> </complexType> </element> <complexType name='ReferenceType
'> <sequence> <any namespace='##other' minOccurs='0' maxOccurs='unbounded'/> </sequence> <attribute name='URI' type='anyURI' use='required'/> </complexType>
DataReference
elements are used to refer to
EncryptedData
elements that were encrypted using the key defined
in the enclosing EncryptedKey
element. Multiple
DataReference
elements can occur if multiple
EncryptedData
elements exist that are encrypted by the same
key.
KeyReference
elements are used to refer to
EncryptedKey
elements that were encrypted using the key defined
in the enclosing EncryptedKey
element. Multiple
KeyReference
elements can occur if multiple
EncryptedKey
elements exist that are encrypted by the same
key.
For both types of references one may optionally specify child elements to
aid the recipient in retrieving the EncryptedKey
and/or
EncryptedData
elements. These could include information such as
XPath transforms, decompression transforms, or information on how to retrieve
the elements from a document storage facility. For example:
<ReferenceList> <DataReference URI="#invoice34"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116"> <ds:XPath xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> self::xenc:EncryptedData[@Id="example1"] </ds:XPath> </ds:Transform> </ds:Transforms> </DataReference> </ReferenceList>
EncryptionProperties
ElementType="http://www.w3.org/2001/04/xmlenc#EncryptionProperties"
(This can be used within a ds:Reference
element to
identify the referent's type.)
Additional information items concerning the generation of the
EncryptedData
or EncryptedKey
can be placed in an
EncryptionProperty
element (e.g., date/time stamp or the serial
number of cryptographic hardware used during encryption). The
Target
attribute identifies the EncryptedType
structure being described. anyAttribute
permits the inclusion of
attributes from the XML namespace to be included (i.e.,
xml:space
, xml:lang
, and xml:base
).
Schema Definition: <element name='EncryptionProperties' type='xenc:EncryptionPropertiesType'/> <complexType name='EncryptionPropertiesType'> <sequence> <element ref='xenc:EncryptionProperty' maxOccurs='unbounded'/> </sequence> <attribute name='Id' type='ID' use='optional'/> </complexType> <element name='EncryptionProperty' type='xenc:EncryptionPropertyType'/> <complexType name='EncryptionPropertyType' mixed='true'> <choice maxOccurs='unbounded'> <any namespace='##other' processContents='lax'/> </choice> <attribute name='Target' type='anyURI' use='optional'/> <attribute name='Id' type='ID' use='optional'/> <anyAttribute namespace="http://www.w3.org/XML/1998/namespace"/> </complexType>
This section describes the operations to be performed as part of encryption and decryption processing by implementations of this specification. The conformance requirements are specified over the following roles:
For each data item to be encrypted as an EncryptedData
or
EncryptedKey
(elements derived from EncryptedType
),
the encryptor must:
ds:KeyInfo
as approriate
(e.g., ds:KeyName
, ds:KeyValue
,
ds:RetrievalMethod
, etc.)EncryptedKey
element by recursively applying this
encryption process. The result may then be a child of
ds:KeyInfo
, or it may exist elsewhere and may be
identified in the preceding step.The definition of this type as bound to an identifier specifies
how to obtain and interpret the plaintext octets after decryption.
For example, the idenifier could indicate that the data is an
instance of another application (e.g., some XML compression
application) that must be further processed. Or, if the data is a
simple octet sequence it MAY be described with the
MimeType
and Encoding
attributes. For
example, the data might be an XML document
(MimeType="text/xml"
), sequence of characters
(MimeType="text/plain"
), or binary image data
(MimeType="image/png
").
EncryptedType
(EncryptedData
or
EncryptedKey
) structure:
An EncryptedType
structure represents all of the
information previously discussed including the type of the encrypted
data, encryption algorithm, parameters, key, type of the encrypted data,
etc.
CipherData
element within the
EncryptedType
, then the encrypted octet sequence is
base64 encoded and inserted as the content of a
CipherValue
element.EncryptedType
structure, then store or return the
encrypted octet sequence, and represent the URI and transforms (if
any) required for the decryptor to retrieve the encrypted octet
sequence within a CipherReference
element.Type
of the encrypted data is 'element'
or element 'content',
then the encryptor MUST be able to return the
EncryptedData
element to the
application. The application MAY
use this as the top-level element in a new XML document or insert it
into another XML document, which may require a re-encoding.
The encryptor SHOULD be able to replace the
unencrypted 'element' or 'content' with the EncryptedData element.
When an application requires an XML element or
content to be replaced, it supplies the XML document context in
addition to identifying the element or content to be replaced. The
encryptor removes the identified element or content
and inserts the EncryptedData
element in its place.
(Note: If the Type
is "content" the document
resulting from decryption will not be well-formed if (a) the original
plaintext was not well-formed (e.g., PCDATA by itself is not
well-formed) and (b) the EncryptedData
element was
previously the root element of the document)
Type
of the encrypted data is not 'element'
or element 'content',
then the encryptor MUST always return the
EncryptedData
element to the
application. The application MAY
use this as the top-level element in a new XML document or insert it
into another XML document, which may require a re-encoding.For each EncryptedType
derived element, (i.e.,
EncryptedData
or EncryptedKey
), to be decrypted,
the decryptor must:
ds:KeyInfo
element to be used. If some information is
omitted, the application MUST supply it.ds:KeyInfo
element, which may contain one or more children elements. These children
have no implied processing order. If the data encryption key is
encrypted, locate the corresponding key to decrypt it. (This may be a
recursive step as the key-encryption key may itself be encrypted.) Or,
one might retrieve the data encryption key from a local store using the
provided attributes or implicit binding.CipherData
element.
CipherValue
child element is present, then the
associated text value is retrieved and base64 decoded so as to obtain
the encrypted octet sequence.CipherReference
child element is present, the URI
and transforms (if any) are used to retrieve the encrypted octet
sequence.Type
'element'
or element 'content'.
Type
and the UTF-8 encoded XML character data. The
decryptor is NOT REQUIRED to perform validation on
the serialized XML.EncryptedData
element with the decrypted 'element'
or element 'content'
represented by the UTF-8 encoded characters. The
decryptor is NOT REQUIRED to perform validation on
the result of this replacement operation.
The application supplies the XML document context and identifies
the EncryptedData
element being replaced. If the
document into which the replacement is occurring is not UTF-8, the
decryptor MUST transcode the UTF-8 encoded
characters into the target encoding.
Type
is unspecified or is
not 'element'
or element 'content'.
Type
, MimeType
,
and Encoding
attribute values when specified.
MimeType
and Encoding
are advisory. The
Type
value is normative as it may contain information
necessary for the processing or interpration of the data by the
application.EncryptedKey
. The cleartext octet sequence represents a
key value and is used by the application in decrypting other
EncryptedType
element(s).Encryption and decryption operations are transforms on octets. The application is responsible for the marshalling XML such that it can be serialized into an octet sequence, encrypted, decrypted, and be of use to the recipient.
For example, if the application wishes to canonicalize its data or
encode/compress the data in an XML packaging format, the application needs to
marshal the XML accordingly and identify the resulting type via the
EncryptedData
Type
attribute. The likelihood of
successful decryption and subsequent processing will be dependent on the
recipient's support for the given type. Also, if the data is intended to be
processed both before encryption and after decryption (e.g., XML Signature
[XML-DSIG] validation or an XSLT transform) the
encrypting application must be careful to preserve information necessary for
that process's success.
For interoperability purposes, the following types MUST be implemented.
EmptyElemTag
| STag
content
ETag"
[XML]CharData
?
((element
| Reference
| CDSect
| PI |
Comment)
CharData
?)*"
[XML]This section discusses algorithms used with the XML Encryption
specification. Entries contain the identifier to be used as the value of the
Algorithm
attribute of the EncryptionMethod
element
or other element representing the role of the algorithm, a reference to the
formal specification, definitions for the representation of keys and the
results of cryptographic operations where applicable, and general
applicability comments.
All algorithms listed below have implicit parameters depending on their role. For example, the data to be encrypted or decrypted, keying material, and direction of operation (encrypting or decrypting) for encryption algorithms. Any explicit additional parameters to an algorithm appear as content elements within the element. Such parameter child elements have descriptive element names, which are frequently algorithm specific, and SHOULD be in the same namespace as this XML Encryption specification, the XML Signature specification, or in an algorithm specific namespace. An example of such an explicit parameter could be a nonce (unique quantity) provided to a key agreement algorithm.
This specification defines a set of algorithms, their URIs, and requirements for implementation. Levels of requirement specified, such as "REQUIRED" or "OPTIONAL", refere to implementation, not use. Furthermore, the mechanism is extensible, and alternative algorithms may be used.
The table below lists the categories of algorithms. Within each category, a brief name, the level of implementation requirement, and an identifying URI are given for each algorithm.
Block encryption algorithms are designed for encrypting and decrypting
data in fixed size, multiple octet blocks. Their identifiers appear as the
value of the Algorithm
attributes of
EncryptionMethod
elements that are children of
EncryptedData
.
Block encryption algorithms take, as implicit arguments, the data to be encrypted or decrypted, the keying material, and their direction of operation. For all of these algorithms specified below, an initialization vector (IV) is required that is encoded with the cipher text. For user specified block encryption algorithms, the IV, if any, could be specified as being with the cipher data, as an algorithm content element, or elsewhere.
The IV is encoded with and before the cipher text for the algorithms below for ease of availability to the decryption code and to emphasize its association with the cipher text. Good cryptographic practice requires that a different IV be used for every encryption.
Since the data being encrypted is an arbitrary number of octets, it may
not be a multiple of the block size. This is solved by padding the plain text
up to the block size before encryption and unpadding after decrytion. The
padding algorithm is to calculate the smallest non-zero number of octets, say
N
, that must be suffixed to the plain text to bring it up to a
multiple of the block size. We will assume the block size is B
octets so N
is in the range of 1 to B
. Pad by
suffixing the plain text with N-1
arbitrary pad bytes and a
final byte whose value is N
. On decryption, just take the last
byte and, after sanity checking it, strip that many bytes from the end of the
decrypted cipher text.
For example, assume an 8 byte block size and plain text of
0x616263
. The padded plain text would then be
0x616263????????05
where the "??" bytes can be any value.
Similarly, plain text of 0x2122232425262728
would be padded to
0x2122232425262728??????????????08
.
ANSI X9.52 [TRIPLEDES] specifies three sequential FIPS 46-3 [DES] operations. The XML Encryption TRIPLEDES consists of a DES encrypt, a DES decrypt, and a DES encrypt used in the Cipher Block Chaining (CBC) mode with 192 bits of key and a 64 bit Initialization Vector (IV). Of the key bits, the first 64 are used in the first DES operation, the second 64 bits in the middle DES operation, and the third 64 bits in the last DES operation.
Note: Each of these 64 bits of key contain 56 effective bits and 8 parity bits. Thus there are only 168 operational bits out of the 192 being transported for a TRIPLEDES key. (Depending on the criterion used for analysis, the effective strength of the key may be thought to be 112 bits (due to meet in the middle attacks) or even less.)
The resulting cipher text is prefixed by the IV. If included in XML output, it is then base64 encoded. An example TRIPLEDES EncryptionMethod is as follows:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
[AES] is used in the Cipher Block Chaining (CBC) mode with a 128 bit initialization vector (IV). The resulting cipher text is prefixed by the IV. If included in XML output, it is then base64 encoded. An example AES EncryptionMethod is as follows:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
Simple stream encryption algorithms generate, based on the key, a stream
of bytes which are XORed with the plain text data bytes to produce the cipher
text on encryption and with the cipher text bytes to produce plain text on
decryption. They are normally used for the encryption of data and are
specified by the value of the Algorithm
attribute of the
EncryptionMethod
child of an EncryptedData
element.
NOTE: It is critical that each simple stream encryption key (or key and initialization vector (IV) if an IV is also used) be used once only. If the same key (or key and IV) is ever used on two messages then, by XORing the two cipher texts, you can obtain the XOR of the two plain texts. This is usually very compromising.
No specific steam encryption algorithms are specified herein but this section is included to provide general guidelines.
Stream algorithms typically use the optional KeySize
explicit
parameter. In cases where the key size is not apparent from the algorithm URI
or key source, as in the use of key agreement methods, this parameter sets
the key size. If the size of the key to be used is apparent and disagrees
with the KeySize
parameter, an error MUST be returned.
Implementation of any stream algorithms is optional. The schema for the
KeySize parameter is as follows:
Schema Definition: <simpleType name='KeySizeType'> <restriction base="integer"/> </simpleType>
Key Transport algorithms are public key encryption algorithms especially
specified for encrypting and decrypting keys. Their identifiers appear as
Algorithm
attributes to EncryptionMethod
elements
that are children of EncryptedKey
. EncryptedKey
is
in turn the child of a ds:KeyInfo
element. The type of key being
transported, that is to say the algorithm in which it is planned to use the
transported key, is given by the Algorithm
attribute of the
EncryptionMethod
child of the EncryptedData
or
EncryptedKey
parent of this ds:KeyInfo
element.
(Key Transport algorithms may optionally be used to encrypt data in which
case they appear directly as the Algorithm
attriubte of an
EncryptionMethod
child of an EncryptedData
element.
Because they use public key algorithms directly, Key Transport algorithms are
not efficient for the transport of any amounts of data significantly larger
than symmetric keys.)
The Key Transport algorithms given below are those used in conjunction with the Cryptographic Message Syntax (CMS) of S/MIME [CMS-Algorithms, CMS-AES].
The RSAES-PKCS1-v1_5 algorithm, specified in RFC 2437 [PKCS1], takes no explicit parameters. An example of an
RSA Version 1.5 EncryptionMethod
element is:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
The CipherValue
for such an encrypted key is the base64 [MIME] encoding of the octet string computed as per RFC
2437 [PKCS1, section 7.2.1: Encryption operation].
As specified in the EME-PKCS1-v1_5 function RFC 2437 [PKCS1, section 9.1.2.1], the value input to the key
transport function is as follows:
CRYPT ( PAD ( KEY ))
where the padding is of the following special form:
02 | PS* | 00 | key
where "|" is concatenation, "02" and "00" are fixed octets of the corresponding hexadecimal value, PS is a string of strong pseudo-random octets [RANDOM] at least eight octets long, containing no zero octets, and long enough that the value of the quantity being CRYPTed is one octet shorter than the RSA modulus, and "key" is the key being transported. The key is 192 bits for TRIPLEDES and 128, 192, or 256 bits for AES. Support of this key transport algorithm for transporting 192 bit keys is mandatory to implement. Support of this algorithm for transporting other keys is optional. RAS-OAEP is recommended for the transport of AES keys.
The resulting base64 [MIME] string is the value of
the child text node of the CipherData
element, e.g.
<CipherData> IWijxQjUrcXBYoCei4QxjWo9Kg8D3p9tlWoT4 t0/gyTE96639In0FZFY2/rvP+/bMJ01EArmKZsR5VW3rwoPxw= </CipherData>
THE RSAES-OAEP-ENCRYPT, as specified in RFC 2437 [PKCS1], algorithm takes as explicit parameters a
message digest function and an optional octet string OAEPparams
.
The message digest function is indicated by the Algorithm
attribute of a child ds:DigestMethod
element and the octet
string is the base64 decoding of the content of an optional
OAEPparams
child element.
Schema Definition: <element ref='ds:DigestMethod' minOccurs='0'/> <element name='OAEPparams' minOccurs='0' type='base64Binary'/>
An example of an RSA-OAEP element is:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <OAEPparams> 9lWu3Q== </OAEPparams> <EncryptionMethod>
The CipherValue
for an RSA-OAEP encrypted key is the base64
[MIME] encoding of the octet string computed as per
RFC 2437 [PKCS1, section 7.1.1: Encryption
operation]. As described in the EME-OAEP-ENCODE function RFC 2437 [PKCS1, section 9.1.1.1], the value input to the key
transport function is calculated using the message digest function and string
specified in the DigestMethod
and OAEPparams
elements and using the mask generator function MGF1 specified in RFC 2437.
The desired output length for EME-OAEP-ENCODE is one byte shorter than the
RSA modulus.
The transported key size is 192 bits for TRIPLEDES and 128, 192, or 256 bits for AES. Implementations MUST implement RSA-OAEP for the transport of 128 and 256 bit keys. They MAY implement RSA-OAEP for the transport of other keys.
A Key Agreement algorithm provides for the derivation of a shared secret
key based on a shared secret computed from certain types of compatible public
keys from both the sender and the recipient. Information from the originator
to determine the secret is indicated by an optional
OriginatorKeyInfo
parameter child of an
AgreementMethod
element while that associated with the recipient
is indicated by an optional RecipientKeyInfo
. A shared key is
derived from this shared secret by a method determined by the Key Agreement
algorithm.
Note: XML Encryption does not provide an on-line key agreement negotiation
protocol. The AgreementMethod
element can be used by the
originator to identify the keys and computational procedure that were used to
obtain a shared encryption key. The method used to obtain or select the keys
or algorithm used for the agreement computation is beyond the scope of this
specification.
The AgreementMethod
element appears as the content of a
ds:KeyInfo
since, like other ds:KeyInfo
children,
it yields a key. This ds:KeyInfo
is in turn a child of an
EncryptedData
or EncryptedKey
element. The
Algorithm
attribute and KeySize
child of the
EncryptionMethod
element under this EncryptedData
or EncryptedKey
element are implicit parameters to the key
agreement computation. In cases where this EncryptionMethod
algorithm URI is insufficient to determine the key length, a
KeySize
MUST have been included. In addition, the sender may
place a KA-Nonce
element under AgreementMethod
to
assure that different keying material is generated even for repeated
agreements using the same sender and recipient public keys. For example:
<EncryptedData> <EncryptionMethod Algorithm="Example:Block/Alg" <KeySize>80</KeySize> </EncryptionMethod> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <AgreementMethod Algorithm="Example:Agreement/Algorithm"> <KA-Nonce>Zm9v</KA-Nonce> <DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha1"> <OriginatorKeyInfo> <ds:KeyValue>...originator...</ds:KeyValue> </OriginatorKeyInfo> <RecipientKeyInfo> <ds:KeyValue>...recipient...</ds:KeyValue> </RecipientKeyInfo> </AgreementMethod> </ds:KeyInfo> <CipherData>...</CipherData> </EncryptedData>
If the agreed key is being used to wrap a key, rather than data as above,
then AgreementMethod
would appear inside a
ds:KeyInfo
inside an EncryptedKey
element.
The Schema for AgreementMethod
is as follows:
Schema Definition: <element name="AgreementMethod" type="xenc:AgreementMethodType"/> <complexType name="AgreementMethodType" mixed="true"> <sequence> <element name="KA-Nonce" minOccurs="0" type="base64Binary"/> <element ref="ds:DigestMethod" minOccurs="0"/> <element name="OriginatorKeyInfo" minOccurs="0" type="ds:KeyInfoType"/> <element name="RecipientKeyInfo" minOccurs="0" type="ds:KeyInfoType"/> <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/> </sequence> <attribute name="Algorithm" type="anyURI" use="required"/> </complexType>
Diffie-Hellman keys can appear directly within KeyValue
elements or be obtained by ds:RetrievalMethod
fetches as well as
appearing in certificates and the like. The above identifier can be used as
the value of the Type
attribute of Reference
or
ds:RetrievalMethod
elements.
As specified in [ESDH], a DH public key consists
of up to six quantities, two large primes p and q, a "generator" g, the
public key, and validation parameters "seed" and "pgenCounter". These relate
as follows: The public key = ( g**x mod p ) where x is the corresponding
private key; p = j*q + 1 where j >= 2. "seed" and "pgenCounter" are
optional and can be used to determine if the Diffie-Hellman key has been
generated in conformance with the algorithm specified in [ESDH]. Because the primes and generator can be safely
shared over many DH keys, they may be known from the application environment
and are optional. The schema for a DHKeyValue
is as follows:
Schema:
<element name="DHKeyValue" type="xenc:DHKeyValueType"/>
<complexType name="DHKeyValueType">
<sequence>
<sequence minOccurs="0">
<element name="P" type="ds:CryptoBinary"/>
<element name="Q" type="ds:CryptoBinary"/>
<element name="Generator"type="ds:CryptoBinary"/>
</sequence>
<element name="Public" type="ds:CryptoBinary"/>
<sequence minOccurs="0">
<element name="seed" type="ds:CryptoBinary"/>
<element name="pgenCounter" type="ds:CryptoBinary"/>
</sequence&gy;
</sequence>
</complexType>
The Diffie-Hellman (DH) key agreement protocol [ESDH] involves the derivation of shared secret
information based on compatible DH keys from the sender and recipient. Two DH
public keys are compatible if they have the same prime and generator. If, for
the second one, Y = g**y mod p
, then the two parties can
calculate the shared secret ZZ = ( g**(x*y) mod p )
even though
each knows only their own private key and the other party's public key.
Leading zero bytes MUST be maintained in ZZ
so it will be the
same length, in bytes, as p
. The size of p
MUST be
at least 512 bits and g
at least 160 bits. There are numerous
other complex security considerations in the selection of g
,
p
, and a random x
as described in [ESDH].
Diffie-Hellman key agreement is optional to implement. An example of a DH
AgreementMethod
element is as follows:
<AgreementMethod Algorithm="http://www.w3.org/2001/04/xmlenc#dh" ds:xmlns="http://www.w3.org/2000/09/xmldsig#"> <KA-Nonce>Zm9v</KA-Nonce> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <OriginatorKeyInfo> <ds:X509Data><ds:X509Certificate> ... </ds:X509Certificate></ds:X509Data> </OriginatorKeyInfo> <RecipientKeyInfo><ds:KeyValue> ... </ds:KeyValue></RecipientKeyInfo> </AgreementMethod>
Assume the Diffie-Hellman shared secret is the octet sequence
ZZ
. The shared keying material needed will then be calculated as
follows:
Keying Material = KM(1) | KM(2) | ...
where "|" is byte stream concatenation and
KM(counter) = DigestAlg ( ZZ | counter | EncryptionAlg | KA-Nonce | KeySize )
DigestAlg
DigestMethod
child of AgreementMethod
.EncryptionAlg
Algorithm
attribute of the EncryptionMethod
child of the
EncryptedData
or EncryptedKey
grandparent of
AgreementMethod
.KA-Nonce
KA-Nonce
child of
AgreementMethod
, if present. If the KA-Nonce
element is absent, it is null.Counter
KeySize
For example, the initial (KM(1))
calculation for the
EncryptionMethod
of the Key
Agreement example (section 5.5) would be as follows, where the binary one
byte counter value of 1 is represented by the two character UTF-8 sequence
01
, ZZ
is the shared secret, and "foo
"
is the base64 decoding of "Zm9v
".
SHA-1 ( ZZ01Example:Block/Algfoo80 )
Assuming that ZZ
is 0xDEADBEEF
, that would be
SHA-1 ( 0xDEADBEEF4578616D706C652F416C673031666F6F3830 )
whose value is
0x2D8CD81DB07FB45231524E339FFACF8079E5162C
Each application of DigestAlg
for successive values of
Counter
will produce some additional number of bytes of keying
material. From the concatenated string of one or more KM
's,
enough leading bytes are taken to meet the need for an actual key and the
remainder discarded. For example, if DigestAlg
is SHA1 which
produces 20 octets of hash, then for 128 bit AES the first 16 bytes from
KM(1)
would be taken and the remaining 4 bytes discarded. For
256 bit AES, all of KM(1)
suffixed with the first 12 bytes of
KM(2) would be taken and the remaining 8 bytes of KM(2)
discarded.
Symmetric Key Wrap algorithms are shared secret key encryption algorithms
especially specified for encrypting and decrypting symmetric keys. Their
identifiers appear as Algorithm
attribute values to
EncryptionMethod
elements that are children of
EncryptedKey
which is in turn a child of ds:KeyInfo
which is in turn a child of EncryptedData
or another
EncryptedKey
. The type of the key being wrapped is indicated by
the Algorithm
attribute of EncryptionMethod
child
of the parent of the ds:KeyInfo
grandparent of the
EncryptionMethod
specifying the symmetric key wrap algorithm.
Some key wrap algorithms make use of the key checksum defined in CMS [CMS-Wrap]. This is used to provide an integrity check value for the key being wrapped. The algorithm is
XML Encryption implementations MUST support TRIPLEDES wrapping of 168 bit keys and may optionally support TRIPLEDES wrapping of other keys.
An example of a TRIPLEDES Key Wrap EncryptionMethod
element
is a as follows:
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#kw-tripledes"/>
The following algorithm wraps (encrypts) a key (the wrapped key, WK) under a TRIPLEDES key-encryption-key (KEK) as specified in [CMS-Algorithms]:
WKCKS = WK || CKS
, where || is concatenation.TEMP2 = IV || TEMP1
.TEMP2
and call the
result TEMP3
.TEMP3
in CBC mode using the KEK
and
an initialization vector of 0x4adda22c79e82105
. The
resulting cipher text is the desired result. It is 40 octets long if a
168 bit key is being wrapped.The following algorithm unwraps (decrypts) a key as specified in [CMS-Algorithms]:
KEK
and an initialization vector (IV) of
0x4adda22c79e82105
. Call the output TEMP3
.TEMP2
.TEMP1
,
the remaining octets.KEK
and the IV found in the previous step. Call the result
WKCKS
.WKCKS
. CKS
is the last 8 octets and
WK
, the wrapped key, are those octets before the
CKS
.WK
and compare with the CKS
extracted in the above step. If they are not equal, return error.WK
is the wrapped key, now extracted for use in data
decryption.Implementation of AES key wrap is described below, as suggested by NIST.
It provides for confidentiality and integrity. This algorithm is defined only
for inputs which are a multiple of 64 bits. The information wrapped need not
actually be a key. The algorithm is the same whatever the size of the AES key
used in wrapping, called the key encrypting key or KEK
. The
implementation requirements are indicated below.
Assume tha the data to be wrapped consists of N
64-bit data
blocks denoted P(1)
, P(2)
, P(3)
...
P(N)
. The result of wrapping will be N+1
64-bit
blocks denoted C(0)
, C(1)
, C(2)
, ...
C(N)
. They key encrypting key is represented by K
.
Assume integers i
, j
, and t
and
intermediate 64-bit register A
, 128-bit register B
,
and array of 64-bit quantities R(1)
through
R(N)
.
"|" represents concatentation so x|y
, where x
and y
and 64-bit quantities, is the 128-bit quantity with
x
in the most significant bits and y
in the least
significant bits. AES(K)enc(x)
is the operation of AES
encrypting the 128-bit quantity x
under the key K
.
AES(K)dec(x)
is the corresponding decryption opteration.
XOR(x,y)
is the bitwise exclusive or of x
and
y
. MSB(x)
and LSB(y)
are the most
significant 64 bits and least significant 64 bits of x and y respectively.
If N
is 1, a single AES operation is performed for wrap or
unwrap. If N>1
, then 6*N
AES operations are
performed for warp or unwrap.
The key wrap algorithm is as follows:
N
is 1
:
B=AES(K)enc(0xA6A6A6A6A6A6A6A6|P(1)
)C(0)=MSB(B)
C(1)=LSB(B)
N>1
, perform the following steps:A
to 0xA6A6A6A6A6A6A6A6
i=1
to N
,R(i)=P(i)
j=0
to 5
,
i=1
to N
,t= i + j*N
B=AES(K)enc(A|R(i))
A=XOR(t,MSB(B))
R(i)=LSB(B)
C(0)=A
i=1
to N
,C(i)=R(i)
The key unwrap algorithm is as follows:
N
is 1
:
B=AES(K)dec(C(0)|C(1))
P(1)=LSB(B)
MSB(B)
is 0xA6A6A6A6A6A6A6A6
, return
success. Otherwise, return an integrity check failure error.N
>1, perform the following steps:A=C(0)
i=1
to N
,R(i)=C(i)
j=5
to 0
,
i=N
to 1
,t= i + j*N
B=AES(K)dec(XOR(t,A)|R(i))
A=MSB(B)
R(i)=LSB(B)
i=1
to N
,P(i)=R(i)
A
is 0xA6A6A6A6A6A6A6A6
, return
success. Otherwise, return an integrity check failure error.For example, wrapping the data
0x00112233445566778899AABBCCDDEEFF
with the KEK
0x000102030405060708090A0B0C0D0E0F
produces the ciphertext of
0x1FA68B0A8112B447
, 0xAEF34BD8FB5A7B82
,
0x9D3E862371D2CFE5
.
Message digest algorithms can be used in AgreementMethod
as
part of the key derivation, within RSA-OAEP encryption as a hash function,
and in connection with the HMAC message authentication code method as
described in [XML-DSIG].)
The SHA-1 algorithm [SHA] takes no explicit
parameters. XML encryption implementations MUST implement SHA-1. An example
of an SHA-1 DigestMethod
element is:
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
A SHA-1 digest is a 160-bit string. The content of the
DigestValue
element shall be the base64 encoding of this bit
string viewed as a 20-octet octet stream. For example, the
DigestValue
element for the message digest:
A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
from Appendix A of the SHA-1 standard would be:
<DigestValue>qZk+NkcGgWq6PiVxeFDCbJzQ2J0=</DigestValue>
The SHA-256 algorithm [SHA] takes no explicit
parameters. It is RECOMMENDED that XML encryption implementations implement
SHA-256. An example of an SHA-256 DigestMethod
element is:
<DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
A SHA-256 digest is a 256-bit string. The content of the
DigestValue
element shall be the base64 encoding of this bit
string viewed as a 32-octet octet stream.
The SHA-512 algorithm [SHA] takes no explicit
parameters. An example of an SHA-512 DigestMethod
element is:
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"/>
A SHA-512 digest is a 512-bit string. The content of the
DigestValue
element shall be the base64 encoding of this bit
string viewed as a 64-octet octet stream.
The RIPEMD-160 algorithm [RIPEMD-160] takes
no explicit parameters. An example of an RIPEMD-160 DigestMethod
element is:
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#ripemd160"/>
A RIPEMD-160 digest is a 160-bit string. The content of the
DigestValue
element shall be the base64 encoding of this bit
string viewed as a 20-octet octet stream.
XML Signature [XML-DSIG] is optional to implement for XML encryption applications. It is the recommended way to provide key based authentication.
A Canonicalization of XML is a method of consistently serializing XML into an octet stream as is necessary prior to encrypting XML.
Canonical XML [Canon] is a method of serializing XML which includes the in scope namespace and xml namespace attribute context from ancestors of the XML being serialized.
If XML is to be encrypted and then later decrypted into a different environment and it is desired to preserve namespace prefix bindings and the value of attributes in the "xml" namespace of its original environment, then the canonical XML with comments version of the XML should be the serialization that is encrypted.
Exclusive XML Canonicalization [Exclusive] serializes XML in such a way as to include to the minimum extent practical the namespace prefix binding and xml namespace attribute context inherited from ancestor elements.
It is the recommended method where the outer context of a fragment which was signed and then encrypted may be changed. Otherwise the validation of the signature over the fragment may fail because the canonicalization by signature validation may include unnecessary namespaces into the fragment.
The application of both encryption and digital signatures over portions of an XML document can make subsequent decryption and signature verification difficult. In particular, when verifying a signature one must know whether the signature was computed over the encrypted or unencrypted form of elements.
A separate, but important, issue is introducing cryptographic vulnerabilities when combining digital signatures and encryption over a common XML element. Hal Finney has suggested that encrypting digitally signed data, while leaving the digital signature in the clear, may allow plaintext guessing attacks. This vulnerability can be mitigated by using secure hashes and the nonces in the text being processed.
In accordance with the requirements document [EncReq] the interaction of encryption and signing is an application issue and out of scope of the specification. However, we make the following recommendations:
Additionally, while the following warnings pertain to incorrect inferences by the user about the authenticity of information encrypted, applications should discourage user misapprehension by communicating clearly which information has integrity, or is authenticated, confidential, or non-repudiable when multiple processes (e.g., signature and encryption) and algorithms (e.g., symmetric and asymmetric) are used:
Where a symmetric key is shared amongst multiple recipients, that symmetric key should only be used for the data intended for all recipients; even if one recipient is not directed to information intended (exclusively) for another in the same symmetric key, the information might be discovered and decrypted.
Additionally, application designers should be careful not to reveal any information in parameters or algorithm identifiers (e.g., information in a URI) that weakens the encryption.
An undesirable characteristic of many encryption algorithms and/or their modes is that the same plaintext when encrypted with the same key has the same resulting ciphertext. While this is unsurprising, it invites various attacks which are mitigated by including an arbitrary and non-repeating (under a given key) data with the plaintext prior to encryption. In encryption chaining modes this data is the first to be encrypted and is consequently called the IV (initalization value or vector).
Different algorithms and modes have further requirements on the characteristic of this information (e.g., randomness and secrecy) that affect the features (e.g., confidentiality and integrity) and their resistence to attack.
Given that XML data is redundant (e.g., Unicode encodings and repeated tags ) and that attackers may know the data's structure (e.g., DTDs and schemas) encryption algorithms must be carefully implemented and used in this regard.
For the Cipher Block Chaining (CBC) mode used by this specification, the IV must not be reused for any key and should be random, but it need not be secret. Additionally, under this mode an adversary modifying the IV can make a known change in the plain text after decryption. This attack can be avoided by securing the integrity of the plain text data, for example by signing it.