Encrypting and authenticating XML data [Part 1]

To lean on advance xml, we might need to know some W3C standards to extending the XML understanding, Encrypting and authenticating on XML data is one of the XML, XHTML and Webservices that we might need to know in order to master the XML skills

Using encryption and authentication with web services
As web services become more prevalent, the issue of security becomes more important. Encryption and authentication are vital tools for achieving secure web services.

encryption on xml

Security protocols such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL) enable you to encrypt data and transmit it safely over the Internet. However, these protocols have a number of shortfalls, in that they provide security only between the two parties sending and receiving data at a particular moment in a transaction, rather than among all the parties in a multi-part online information exchange. For example, SSL can encrypt all details of an online purchase you make. This ensures that your credit card number is encrypted when sent to an online merchant, but it cannot ensure that the merchant then sends the number securely to a credit card verification service. XML Encryption serves to address these shortfalls. It enables you to:

  • encrypt specific parts of the data being transmitted
  • provide end-to-end security

This means that you can choose to encrypt an entire document, a specific element, or the content of a specific element. For example, in an online transaction, you may need to encrypt the credit card details, but not the product details. In this case, you would encrypt a specific element or the content of a specific element rather than encrypting the entire document. You can also transmit data between more than two parties and ensure end-to-end security rather than party-to-party security. This provides opportunities for more advanced e-commerce applications.

Digital signatures provide authentication when using web services. They enable users to receive data that is signed by the sender and to verify the identity of the sender and the integrity of the document – that is to verify that the data has not been altered since it was sent.

Encryption and authentication can be used together to provide powerful security solutions. The W3C has published recommendations for both encryption and digital signatures using XML. However, these are only specifications. They do not provide implementation details. To implement XML Encryption or XML Signatures, you’ll need to create programs that use these standards.

Encrypting data using XML

The W3C’s XML Encryption standard provides a way to encrypt any data. That data can be an entire document, a specific element, or the content of an element. Also, it doesn’t necessarily have to be XML. The standard then specifies a way to create an XML document to store the encrypted data.

Data is encrypted using the following elements – EncryptedData, CipherData, CipherValue, CipherReference, and EncryptionMethod.

Encrypted data generally takes the following format, where ? indicates zero or one occurrence and * indicates zero or more occurrences of an element or attribute:

<EncryptedData Id? Type? MimeType? Encoding?>
<EncryptionMethod/>?
<ds:KeyInfo>
<EncryptedKey>?
<AgreementMethod>?
<ds:KeyName>?
<ds:RetrievalMethod>?
<ds:*>?
</ds:KeyInfo>?
<CipherData>
<CipherValue>?
<CipherReference URI?>?
</CipherData>
<EncryptionProperties>?
</EncryptedData>

The EncryptedData element identifies the section of an XML document that holds encrypted information. If an entire document is encrypted, this element will serve as the root element for the encrypted document. The EncryptedData element can have the following child elements – EncryptionMethod, ds:KeyInfo, CipherData, and EncryptionProperties. The EncryptionMethod element specifies the encryption algorithm used. The ds:KeyInfo element contains information on the key used to encrypt and decrypt the data. For example, it can provide the public key that was used for encryption.

The CipherData element can contain a CipherValue or a CipherReference element. The CipherValue element contains the encrypted data, whereas the CipherReference element provides a URI describing the location of the encrypted data. Finally, the EncryptedData element can contain an optional EncryptionProperties element, which describes the properties of the encrypted data, such as when it was generated.

For example, say you want to encrypt the following document:

<?xml version=”1.0″ ?>
<booking
xmlns=”http://www.easynomadtravel.com/securebookings”>
<vacation>
<destination>Acapulco</destination>
<startDate>2004-05-14</startDate>
<endDate>2004-05-28</endDate>
</vacation>
<customer>
<name>Jonathan Gold</name>
<creditCard>
<cardNumber>1234898888999968</cardNumber>
<cardType>VISA</cardType>
<validTo>2005-01-31</validTo>
<creditCard>
</customer>
</booking>

Encrypting the entire file would result in the following code:

<?xml version=”1.0″ ?>
<EncryptedData xmlns=”http://www.w3.org/2001/04/xmlenc#”
MimeType=”text/xml”>
<CipherData>
<CipherValue>A23B45C56</CipherValue>
</CipherData>
</EncryptedData>

All of the encrypted data is contained within the EncryptedData element. This element is in the XML Encryption namespace, whose URI is http://www.w3.org/2001/04/xmlenc#, and whose recommended namespace prefix is xenc. The MimeType attribute specifies the format of the original data. Note that the CipherValue in this example is a sample. A real CipherValue would probably be considerably longer.

Encrypting the creditCard element only would result in a document such as:

<?xml version=”1.0″ ?>
<booking
xmlns=”http://www.easynomadtravel.com/securebookings”>
<vacation>
<destination>Acapulco</destination>
<startDate>2004-05-14</startDate>
<endDate>2004-05-28</endDate>
</vacation>
<customer>
<name>Jonathan Gold</name>
<EncryptedData Type=
“http://www.w3.org/2001/04/xmlenc#Element”
xmlns=”http://www.w3.org/2001/04/xmlenc#”>
<CipherData>
<CipherValue>A23B45C564587</CipherValue>
</CipherData>
</EncryptedData>
</customer>
</booking>

Only the encrypted creditCard element is contained in the EncryptedData element. All other elements in the document are visible. Once again, the EncryptedData element uses the http://www.w3.org/2001/04/xmlenc# namespace. However, this time it also uses the Type attribute with the value http://www.w3.org/2001/04/xmlenc#Element. Note the word Element at the end of the URI. This indicates that an element is encrypted.

Alternatively, you could encrypt just the credit card number, in which case the resulting document would be as follows:

<?xml version=”1.0″ ?>
<booking xmlns=
“http://www.easynomadtravel.com/securebookings”>
<vacation>
<destination>Acapulco</destination>
<startDate>2004-05-14</startDate>
<endDate>2004-05-28</endDate>
</vacation>
<customer>
<name>Jonathan Gold</name>
<creditCard>
<cardNumber>
<EncryptedData Type=
“http://www.w3.org/2001/04/xmlenc#Content”
xmlns=”http://www.w3.org/2001/04/xmlenc#”>
<CipherData>
<CipherValue>A23B45C564587</CipherValue>
</CipherData>
</EncryptedData>
</cardNumber>
<cardType>VISA</cardType>
<validTo>2005-01-31</validTo>
<creditCard>
</customer>
</booking>

This time all tags remain visible. Only the content of the cardNumber element has been encrypted. Again, the EncryptedData element uses the http://www.w3.org/2001/04/xmlenc# namespace. However, it uses the following value for the Type attribute – http://www.w3.org/2001/04/xmlenc#Content. The word Content at the end of this URI indicates that the content of an element is being encrypted.

XML encryption is key-based. Key-based encryption can be asymmetric or symmetric. Asymmetric encryption uses public and private keys. You use an algorithm to generate both keys. Then you send your public key to anyone who wants to send encrypted data to you. They use the public key to encrypt the data and then send the encrypted data to you. Then you use your private key to decrypt the data. Symmetric encryption uses secret keys. Using symmetric encryption, you exchange a secret key with someone who wants to send encrypted data to you. Then you can both use the secret key to encrypt and decrypt data.

In a document that uses encryption, the ds:KeyInfo element contains information about the key:

<ds:KeyInfo>
<EncryptedKey>?
<AgreementMethod>?
<ds:KeyName>?
<ds:RetrievalMethod>?
<ds:*>?
</ds:KeyInfo>?

Note that these elements use the ds namespace prefix because they occur in the XML Signature namespace rather than in the XML Encryption namespace. For example,

<EncryptedData xmlns=”http://www.w3.org/2001/04/xmlenc#”
Type=”http://www.w3.org/2001/04/xmlenc#Element”/>
<EncryptionMethod Algorithm=
“http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>
<ds:KeyInfo xmlns:ds=
“http://www.w3.org/2000/09/xmldsig#”>
<ds:KeyName>Jonathan Gold</ds:KeyName>
</ds:KeyInfo>
<CipherData>
<CipherValue>A23B45C564587</CipherValue>
</CipherData>
</EncryptedData>

The KeyInfo and KeyName elements are qualified to indicate they belong to the XML Signature namespace.

The data in this code sample has been encrypted using the Triple DES algorithm. This is specified using the Algorithm attribute in the EncryptionMethod element:

<EncryptionMethod Algorithm=
“http://www.w3.org/2001/04/xmlenc#tripledes-cbc”/>

The KeyInfo element declares the XML Signature namespace:

<ds:KeyInfo xmlns:ds=
“http://www.w3.org/2000/09/xmldsig#”>

Triple DES uses symmetric keys, and the KeyName element is used here to indicate that the key used is Jonathan Gold’s.

<ds:KeyName>Jonathan Gold</ds:KeyName>

Alternatively, you could use the AES algorithm to encrypt the data:

<EncryptedData Id=’ED’
xmlns=’http://www.w3.org/2001/04/xmlenc#’>
<EncryptionMethod Algorithm=
‘http://www.w3.org/2001/04/xmlenc#aes128-cbc’/>
<ds:KeyInfo xmlns:ds=
‘http://www.w3.org/2000/09/xmldsig#’>
<ds:RetrievalMethod URI=’#EK’
Type=”http://www.w3.org/2001/04/xmlenc#EncryptedKey”/>
<ds:KeyName>Antonia Suares</ds:KeyName>
</ds:KeyInfo>
<CipherData>
<CipherValue>A23B45C564587</CipherValue>
</CipherData>
</EncryptedData>

This time the value of the Algorithm attribute in the EncryptionMethod element is http://www.w3.org/2001/04/xmlenc#aes128-cbc, to indicate 128-bit AES. The RetrievalMethod element is used to identify KeyInfo information that is stored remotely.

3 Responses to “Encrypting and authenticating XML data [Part 1]”

  1. The Guru February 9, 2010 at 5:30 pm #

    I was working on the inbound and outbound interface using XML data. Never know there’s such cool encrytion technology for XML. Good share!

  2. simonso February 10, 2010 at 6:18 pm #

    good stuff bro!

  3. Calvyn February 12, 2010 at 4:27 pm #

    welcome… welcome… I hope to bring more related article here, thank for you guys support

Leave a Reply