Jump to content

XML Encryption: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
added bibliography
(11 intermediate revisions by 10 users not shown)
Line 1: Line 1:
{{Short description|W3C specification for XML element encryption}}
'''XML Encryption''', also known as XML-Enc, is a specification, governed by a [[World Wide Web Consortium|W3C]] recommendation, that defines how to encrypt the contents of an [[XML]] element.
'''XML Encryption''' ('''XML-Enc''') is a specification governed by a [[World Wide Web Consortium]] (W3C) recommendation, that defines how to [[encrypt]] the contents of an [[XML]] element.


==Specification==
Although XML Encryption can be used to encrypt any kind of data, it is nonetheless known as "XML Encryption" because an XML element (either an <tt>EncryptedData</tt> or <tt>EncryptedKey</tt> element) contains or refers to the cipher text, keying information, and algorithms.
Although XML Encryption can be used to encrypt any kind of data, it is nonetheless known as "XML Encryption" because an XML element (either an <code>EncryptedData</code> or <code>EncryptedKey</code> element) contains or refers to the cipher text, keying information, and algorithms.{{sfnp|XMLENC 1.0|loc=section 2}}


Both [[XML Signature]] and XML Encryption use the <tt>KeyInfo</tt> element, which appears as the child of a <tt>SignedInfo</tt>, <tt>EncryptedData</tt>, or <tt>EncryptedKey</tt> element and provides information to a recipient about what keying material to use in validating a signature or decrypting encrypted data.
Both [[XML Signature]] and XML Encryption use the <code>KeyInfo</code> element, which appears as the child of a <code>SignedInfo</code>, <code>EncryptedData</code>, or <code>EncryptedKey</code> element and provides information to a recipient about what keying material to use in validating a signature or decrypting encrypted data.


The <tt>KeyInfo</tt> element is optional: it can be attached in the message, or be delivered through a secure channel.
The <code>KeyInfo</code> element is optional: it can be attached in the message, or be delivered through a secure channel.


XML Encryption is different from and unrelated to [[Transport Layer Security]], which is used to send encrypted messages (including xml content, both encrypted and otherwise) over the internet.
XML Encryption is different from and unrelated to [[Transport Layer Security]] (TLS), which is used to send encrypted messages (including XML content, both encrypted and otherwise) over the internet.


{{harvtxt|Jager|Somorovsky|2011}} reported that this specification has severe security concerns. In response to this,{{sfnb|Jager|Paterson|Somorovsky|2013}} the specification of XML Encryption 1.1 published in 2013 included a [[Galois/Counter Mode]] block cypher algorithm.{{sfnp|Kupser|Mainka|Schwenk|Somorovsky|2015}}{{clarification needed|date=September 2024}}
It has been reported that this specification has severe security concerns.<ref>{{cite web|title=RUB Researchers break W3C standard|url=http://aktuell.ruhr-uni-bochum.de/pm2011/pm00330.html.en|publisher=[[Ruhr University Bochum]]|accessdate=29 June 2012| date=19 October 2011}}</ref>


==Notes==
== References ==

<references/>
===Citations===
==XML Encryption Products==
{{Reflist}}
* Forum Sentry

* IBM Datapower
===Sources===
{{refbegin}}
* {{cite web|first1=T.|last1=Imamura|first2=B.|last2=Dillaway|first3=E.|last3=Simon|date=10 December 2002|title=XML Encryption Syntax and Processing|editor-first1=D.|editor-last1=Eastlake|editor-first2=J.|editor-last2=Reagle|url=https://www.w3.org/TR/2002/REC-xmlenc-core-20021210|publisher=[[W3C]]|ref={{sfnref|XMLENC 1.0}}}}
* {{cite web|first1=T.|last1=Imamura|first2=B.|last2=Dillaway|first3=E.|last3=Simon|first4=K.|last4=Yiu|first5=M.|last5=Nyström|date=11 April 2013|title=XML Encryption Syntax and Processing Version 1.1|editor-first1=D.|editor-last1=Eastlake|editor-first2=J.|editor-last2=Reagle|editor-first3=F.|editor-last3=Hirsch|editor-first4=T.|editor-last4=Roessler|url=https://www.w3.org/TR/2013/REC-xmlenc-core1-20130411|publisher=[[W3C]]|ref={{sfnref|XMLENC 1.1}}}}
* {{cite paper|date=19 October 2011|last1=Jager|first1=T.|last2=Somorovsky|first2=J.|title=How to break XML encryption|journal=Proceedings of the 18th ACM Conference on Computer and Communications Security|pages=413–422|doi=10.1145/2046707.2046756|isbn=978-1-4503-0948-6|publisher=Association for Computing Machinery|location=New York}}
* {{cite web|editor-first=F.|editor-last=Hirsch|date=11 April 2013|title=Functional Explanation of Changes in XML Encryption 1.1|url=https://www.w3.org/TR/2013/NOTE-xmlenc-core1-explain-20130411|publisher=W3C}}
* {{cite paper|date=June 2012|first1=J.|last1=Somorovsky|first2=J.|last2=Schwenk|title=Technical Analysis of Countermeasures against Attack on XML Encryption – or – Just Another Motivation for Authenticated Encryption|url=https://www.w3.org/2008/xmlsec/papers/xmlEncCountermeasuresW3C.pdf|work=2012 IEEE Eighth World Congress on Services|doi=10.1109/SERVICES.2012.6|publisher=IEEE|isbn=978-1-4673-3053-4}}
* {{cite conference|first1=T.|last1=Jager|first2=K. G.|last2=Paterson|first3=J.|last3=Somorovsky|date=24 April 2013|title=One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography|url=https://www.ndss-symposium.org/ndss2013/ndss-2013-programme/one-bad-apple-backwards-compatibility-attacks-state-art-cryptography/|conference=NDSS Symposium 2013}}
* {{cite conference|first1=D.|last1=Kupser|first2=C.|last2=Mainka|first3=J.|last3=Schwenk|first4=J.|last4=Somorovsky|date=August 2015|title=How to Break XML Encryption – Automatically|conference=9th USENIX Workshop on Offensive Technologies (WOOT '15)|url=https://www.usenix.org/conference/woot15/workshop-program/presentation/kupser}}
{{refend}}


==External links==
==External links==
* [http://www.w3.org/TR/xmlenc-core/ W3C info]
* [http://www.w3.org/TR/xmlenc-core/ W3C info]
* [http://santuario.apache.org/ Apache Santuario - Apache XML Security Implementation for Java and C++]
* [http://www.aleksey.com/xmlsec/ XMLSec - XML Security Library for C]
* [http://users.dcc.uchile.cl/~pcamacho/tutorial/web/xmlsec/xmlsec.html An Introduction to XML Signature and XML Encryption with XMLSec]
{{W3C standards}}


[[Category:XML]]
[[Category:XML]]
[[Category:Cryptography standards]]
[[Category:Cryptography standards]]
[[Category:XML-based standards]]
[[Category:XML-based standards]]

{{W3C standards}}
{{web-stub}}

[[es:Xml encryption]]
[[de:XML-Encryption]]
[[ru:XML Encryption]]
[[zh:XML Encryption]]
[[hu:XML Kódolás]]

Revision as of 16:53, 2 September 2024

XML Encryption (XML-Enc) is a specification governed by a World Wide Web Consortium (W3C) recommendation, that defines how to encrypt the contents of an XML element.

Specification

Although XML Encryption can be used to encrypt any kind of data, it is nonetheless known as "XML Encryption" because an XML element (either an EncryptedData or EncryptedKey element) contains or refers to the cipher text, keying information, and algorithms.[1]

Both XML Signature and XML Encryption use the KeyInfo element, which appears as the child of a SignedInfo, EncryptedData, or EncryptedKey element and provides information to a recipient about what keying material to use in validating a signature or decrypting encrypted data.

The KeyInfo element is optional: it can be attached in the message, or be delivered through a secure channel.

XML Encryption is different from and unrelated to Transport Layer Security (TLS), which is used to send encrypted messages (including XML content, both encrypted and otherwise) over the internet.

Jager & Somorovsky (2011) reported that this specification has severe security concerns. In response to this,[2] the specification of XML Encryption 1.1 published in 2013 included a Galois/Counter Mode block cypher algorithm.[3][clarification needed]

References

Citations

Sources

  • Imamura, T.; Dillaway, B.; Simon, E. (10 December 2002). Eastlake, D.; Reagle, J. (eds.). "XML Encryption Syntax and Processing". W3C.
  • Imamura, T.; Dillaway, B.; Simon, E.; Yiu, K.; Nyström, M. (11 April 2013). Eastlake, D.; Reagle, J.; Hirsch, F.; Roessler, T. (eds.). "XML Encryption Syntax and Processing Version 1.1". W3C.
  • Jager, T.; Somorovsky, J. (19 October 2011). "How to break XML encryption". Proceedings of the 18th ACM Conference on Computer and Communications Security. New York: Association for Computing Machinery: 413–422. doi:10.1145/2046707.2046756. ISBN 978-1-4503-0948-6.
  • Hirsch, F., ed. (11 April 2013). "Functional Explanation of Changes in XML Encryption 1.1". W3C.
  • Somorovsky, J.; Schwenk, J. (June 2012). "Technical Analysis of Countermeasures against Attack on XML Encryption – or – Just Another Motivation for Authenticated Encryption" (PDF). 2012 IEEE Eighth World Congress on Services. IEEE. doi:10.1109/SERVICES.2012.6. ISBN 978-1-4673-3053-4.
  • Jager, T.; Paterson, K. G.; Somorovsky, J. (24 April 2013). One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography. NDSS Symposium 2013.
  • Kupser, D.; Mainka, C.; Schwenk, J.; Somorovsky, J. (August 2015). How to Break XML Encryption – Automatically. 9th USENIX Workshop on Offensive Technologies (WOOT '15).