Beruflich Dokumente
Kultur Dokumente
XML ENCRYPTION
SeminarsTopics.com
XML ECRYPTION
Definition of xml encryption.
XML Encryption provides end-to-end security for applications that require secure exchange of structured data. XML itself is the most popular technology for structuring data, and therefore XML-based encryption is the natural way to handle complex requirements for security in data interchange applications.
Encrypting part of the data being exchanged Secure sessions between more than two parties
With XML Encryption, each party can maintain secure or insecure states with any of the communicating parties. Both secure and non-secure data can be exchanged in the same document. For example, think of a secure chat application containing a number of chat rooms with several people in each room. XML-encrypted files can be exchanged between chatting partners so that data intended for one room will not be visible to other rooms.
Brief description.
There are three procedures to XML Encryption. 1. SYMMETRIC ENCRYPTION Only one session key is used and its the same key that encrypts the xml which is used to decrypt it. The key is not stored with the encrypted xml and so the key needs to be loaded during the process and protected when stored. 2. COMBINATION OF ASYMMETRIC AND SYMMETRIC ENCRYPTION
SeminarsTopics.com The dual approach requires a symmetric session key to encrypt the data and an asymmetric key to protect the session key. Both the encrypted session key and the encrypted data are stored together in the xml document. The public asymmetric key is used to encrypt the session key while the private asymmetric key is used to decrypt the key. 3. X.509 CERTIFICATE. This approach uses a X.509 certificate as the symmetrical key. X.509 certificates are provided by a third party vendor such as VeriSign. Approaches Xml encryption, regardless of how the encryption is performed, can store the encrypted data in one of two ways. 1. After encryption the whole element is replaced with an element named <EncryptedData>. 2. After encryption only the data in the element is replaced and its name remains readable in the document. The difference is very subtle but its rather important. For example: Your xml document contains a root element called <employee> that contains a child element called <WrittenWarning> in which details of disciplinary action is stored. If you were sending this xml and wanted the <WrittenWarning> elements details protected with approach 1 the <WrittenWarning> is replaced with an element called <EncryptedData> and no information can be gathered from the document. With approach 2 however the <WrittenWarning> element stays and only the data is encrypted. Anyone who intercepted this document might not know the specific details of the discipline action but they will still know that something has happened with that employee. Any attributes on the <WrittenWarning> element are also not encrypted. So the approach you take depends on what the data is and how much information you want to give away. In .NET v2.0 deciding on which approach to take is specified using a Boolean value and can be easily modified. Example of XML Encryption Below is an example of XML encryption using the asymmetric approach where the author element in the xml document is replaced with an <EncryptedData> element.
The XML Document
01.<?xml version="1.0" standalone="no"?>
SeminarsTopics.com
02.<article> 03. 04. 05. 06. 07. 08. 09. 10. 11. 12. 13. 14. <articleinfo> <title>XPath Queries on XmlDocument objects in .NET 1.1</title> <abstract> <para>This article covers the basics.</para> </abstract> <author> <honorific>Mr.</honorific> <firstname>George</firstname> <surname>James</surname> <email>gjames@doman.com</email> </author> </articleinfo>
15.</article>
SeminarsTopics.com
11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26. 27. 28. 29. <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" /> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <KeyName>session</KeyName> </KeyInfo> <CipherData> <CipherValue>r4f7SI1aZKSvibbCipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>sGNhKqcSovipJdOFCFKYEEMRFd</CipherValue> </CipherData> </EncryptedData> </articleinfo>
30.</article>
The author element and its children have been replaced with the <EncryptedData> element which contains a number of other elements that are used to describe the encrypted data, i.e. the encryption algorithms used, the session key used, etc.
The <EncryptedData> element
Looking at the tree hierarchy of the <EncryptedData> element you can see the <EncryptedData> element is broken down into a number of child elements. The <KeyInfo> element is the same as the <KeyInfo> element used in XML Digital Signatures.
SeminarsTopics.com
The EncryptedData element is contained in the "http://www.w3.org/2001/04/xmlenc# namespace. It is the root of the encrypted data. The EncryptionMethod element is used to specify the symmetric method used when encrypting the data. It does this by using an Algorithm attribute containing a W3 URL that describes the method used. "http://www.w3.org/2001/04/xmlenc#aes256-cbc" indicates the data was encrypted using AES (Rijndael) with a 256k key size. The KeyInfo element is borrowed from XML Digital Signatures and is used to store information about the symmetric keys. The KeyInfo element can store information about more than one key. The EncryptedKey element and its child elements contain information about one key stored in a KeyInfo element. The EncryptionMethod element of the KeyInfo contains the asymmetric encryption method used to encrypt the session key. It does this using an Algorithm attribute set to a W3 URL. For example: http://www.w3.org/2001/04/xmlenc#RSA-1_5 describes that RSA asymmetric encryption was used to encrypt the session key. The KeyName element is an identifier used to find the key. Youll see the importance of this later when it comes to coding XML Encryption. The CipherData and CipherValue elements that are found as part of the EncryptedKey and EncryptedData elements contain the cipher data. The actual cipher data is stored in the CipherValue element. The EncryptedKey element stores the encrypted key, while in the encrypted data is stored in the CipherValue for the EncryptedData element.
SeminarsTopics.com
Asymmetric XML Decryption Process The process of decrypting the XML can be summarized into four steps, 1. Select the EncryptedData element in an XML document 2. Decrypt the session key using an asymmetric key (the private key is used) 3. Decrypt the cipher data using the unencrypted symmetric encryption. 4. Replace the EncryptedData element with the unencrypted element.
System.Security.Cryptograph y contains encryption classes used to generate encryption keys. System.Security.Cryptograph y.Xml contains XML Encryption classes that are used to perform the encryption.
An online book-buyer can secure the sensitive information in the purchase order by employing any of the following three XML encryption methods:
SeminarsTopics.com
1. Encrypt a complete XML file 2. Encrypt an element in an XML file 3. Encrypt an element's content in an XML file
1. Encrypt a complete XML file with XML Encryption The book-buyer can encrypt the entire Order.xml file to produce an XML-encrypted file, which can then be sent to the publisher's sales department. Although this provides relevant security through the end-to-end communication link, the book-buyer's security policy is violated. This policy requires concealing the payment information in the sales department and revealing it in the accounts department. In this case, the whole XML document is decrypted by the sales department and the payment information is disclosed. Therefore this approach does not seem suitable, although it can be practical if you use super encryption. 2. Encrypt an element in an XML file with XML Encryption The book-buyer can encrypt the payment information portion of the XML file with the accounts department's secret key, and keep the rest of the file content unencrypted for the sales department to view. This processing can be performed by encrypting the Payment element in the Order.xml file. The credit card information becomes secure. Since the security requirement dictates that the means of payment (such as credit card or bank check) must be hidden from unauthorized viewers, encrypting the Payment element pays off.
Super encryption When you use super encryption, you can encrypt just the payment information with the accounts department's secret key to produce an element-encrypted XML file. This resultant file is then completely encrypted using the sales department's secret key, thus resulting in a super-encrypted XML file.
3. Encrypt an element's content in an XML file with XML Encryption The third encryption option the books-seller can exercise is to encrypt only the credit card number in Order.xml. The element content encryption method is invoked, which encrypts only the textual content of the card number. This raises an important question: Why do you need to come up with content encryption when the same can be accomplished using element encryption? The use of either method depends on the security policy for the document; if there is a specific need to disclose the name of the element or its attributes, while keeping its content secure, content encryption comes in handy.
SeminarsTopics.com
The table below lists the categories of algorithms. Within each category, a brief name, the level of implementation requirement, and an identifying URI are given for each algorithm.
Block Encryption
Key Transport
1. REQUIRED TRIPLEDES KeyWrap 2. REQUIRED AES-128 KeyWrap 3. REQUIRED AES-256 KeyWrap 4. OPTIONAL AES-192 KeyWrap
SeminarsTopics.com
Message Digest
1. 2. 3. 4.
Message Authentication
1. 2. 3. 4.
OPTIONAL Canonical XML (omits comments) OPTIONAL Canonical XML with Comments OPTIONAL Exclusive XML Canonicalization (omits comments) OPTIONAL Exclusive XML Canonicalization with Comments
Encoding
1. REQUIRED base64
SeminarsTopics.com
6. Conclusion.
XML Encryption is a W3 Standard to encrypting XML. It does this in such a way that the encrypted data remains and can be treated as XML. It uses both asymmetric and symmetric encryption algorithms, symmetric to encrypt the data and asymmetric to encrypt the symmetric session key. Both the session key and the cipher data are stored together in an XML element called EncryptedData. The EncryptedData element contains a series of child elements that describe the algorithms used during the encryption process, as well as containing key information and the cipher data.