XML Encryption

The XML Encryption Syntax and Processing Specification

Troubleshooting Tips

LANGUAGES: All .NET Languages

ASP.NET VERSIONS: All

 

XML Encryption

The XML Encryption Syntax and Processing Specification

 

By Don Kiely

 

As with digital signatures, it has long been possible to encrypt any kind of electronic data, yet the W3C has developed a specification for encrypting XML data. Why? Part of the reason is that the XML Encryption Syntax and Processing Specification defines an XML syntax to contain information about the methods used to encrypt the data so that you can embed it within XML. The other major reason is that it allows you to encrypt only portions of XML data. The result is that within a set of XML data you could have:

  • Encrypted data or, optionally, a link to the location of the data.
  • Unencrypted data that you don't need to waste processing cycles to encrypt.
  • Key information that optionally provides the public key needed in asymmetrical cryptography.
  • Optional recipient information to identify the people to whom the data is directed.

 

The specification even provides for super-encryption, in which encrypted data is encrypted a second time using different keys.

 

Say that you are developing an application for a pizza shop, using an XML file called Customers.xml. Here is a typical entry from that data:

 

<?xml version="1.0"?>

<Customers>

  <Customer CustomerID="1">

    <LastName>Kiely</LastName>

    <FirstName>Don</FirstName>

    <Address>8 Hazelnut</Address>

    <City>Fairbanks</City>

    <State>OR</State>

    <ZipCode>99999</ZipCode>

    <Email>[email protected]</Email>

  </Customer>

  ...

 

This data contains sensitive customer contact information that we don't want our competitors or anyone else to discover. Yet we must transmit the data to the home office in Elk Grove via the Internet. XML Encryption fits the bill. It allows you to encrypt all or any part of XML data, leaving less sensitive information in clear text. In this case, we want to encrypt the address, phone, and e-mail information, but leave the customer name and notes in clear text. Here is how it might look like when it is encrypted:

 

<?xml version="1.0"?>

<Customers>

  <Customer CustomerID="1">

    <LastName>Kiely</LastName>

    <FirstName>Don</FirstName>

    <EncryptedData Id="Cust1"

      xmlns="http://www.w3.org/2001/04/xmlenc#">

      <EncryptionMethod Algorithm=

        "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>

      <ds:KeyInfo

        xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

        <ds:RetrievalMethod URI="#EK" Type=

        "http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>

        <ds:KeyName>Informant</ds:KeyName>

      </ds:KeyInfo>

      <CipherData>

        <CipherValue>DEADBEEF</CipherValue>

      </CipherData>

    </EncryptedData>

  </Customer>

</Customers>

 

Notice that all the sensitive information is replaced with the XML tags defined in the XML Encryption standard, including the open and closing tags. So someone who intercepted this data wouldn't even know for sure whether the encrypted data was something useful like a phone number or the customer's preference for greasy meats.

 

There are a couple parts of the encrypted XML data to note:

  • The <EncryptionMethod> element identifies the algorithm used to encrypt the data. In this case it is the US National Institute of Standards and Technology's (NIST) AES algorithm.
  • The <CipherData> and <CipherValue> elements contain the actual encrypted data.

 

Security for XML data is an immature technology. But you can take advantage of existing technologies today and emerging technologies in applications you develop in the future.

 

Don Kiely is senior technology consultant for Information Insights, a business and technology consultancy in Fairbanks, AK. E-mail him at mailto:[email protected].

 

 

 

 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish