ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzamy_5.4.0.1/50/webserv/wsseccfxmlenc.htm

189 lines
9.2 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
<title>XML encryption</title>
</head>
<BODY>
<!-- Java sync-link -->
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
<h5><a name="wsseccfxmlenc"></a>XML encryption</h5>
<p>XML Encryption is a specification that was developed by the World Wide Web Consortium (W3C) in 2002 that contains the following information:</p>
<ul>
<li>The steps to encrypt data.</li>
<li>The steps to decrypt encrypted data.</li>
<li>The XML syntax to represent encrypted data and the information used to decrypt the data.</li>
<li>A list of encryption algorithms, such as triple DES, AES, and RSA.</li>
</ul>
<p>You can apply XML encryption to an XML element, XML element content, and arbitrary data, including an XML document. For example, suppose that you need to encrypt the &lt;CreditCard&gt; element shown in Example 1.</p>
<p><strong>Example 1: Sample XML document</strong></p>
<pre>&lt;PaymentInfo xmlns='http://example.org/paymentv2'&gt;
&lt;Name&gt;John Smith&lt;/Name&gt;
&lt;CreditCard Limit='5,000' Currency='USD'&gt;
&lt;Number&gt;4019 2445 0277 5567&lt;/Number&gt;
&lt;Issuer&gt;Example Bank&lt;/Issuer&gt;
&lt;Expiration&gt;04/02&lt;/Expiration&gt;
&lt;/CreditCard&gt;
&lt;/PaymentInfo&gt;</pre>
<p>Example 2 shows the XML document after encryption. The EncryptedData element represents the encrypted CreditCard element. The EncryptionMethod element describes the applied encryption algorithm, which is triple DES in this example. The KeyInfo element contains the information to retrieve a decryption key, which is a KeyName element in this example. The CipherValue element contains the ciphertext obtained
by serializing and encrypting the CreditCard element.</p>
<p><strong>Example 2: XML document encrypted with a common secret key</strong></p>
<pre>&lt;PaymentInfo xmlns='http://example.org/paymentv2'&gt;
&lt;Name&gt;John Smith&lt;/Name&gt;
&lt;EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'&gt;
&lt;EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/&gt;
&lt;KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'&gt;
&lt;KeyName&gt;John Smith&lt;/KeyName&gt;
&lt;/KeyInfo&gt;
&lt;CipherData&gt;
&lt;CipherValue&gt;ydUNqHkMrD...&lt;/CipherValue&gt;
&lt;/CipherData&gt;
&lt;/EncryptedData&gt;
&lt;/PaymentInfo&gt;</pre>
<p>In example 2, it is assumed that both the sender and recipient have a common secret key. If the recipient has a public and private key pair, which is a most likely the case, the CreditCard element can be encrypted as shown in example 3. The EncryptedData element is the same as the EncryptedData element found in example 2. However, the KeyInfo element contains an EncryptedKey element, which represents the encrypted secret key, instead of the KeyName element found in example 2.</p>
<p><strong>Example 3: XML document encrypted with the public key of the recipient</strong></p>
<pre>&lt;PaymentInfo xmlns='http://example.org/paymentv2'&gt;
&lt;Name&gt;John Smith&lt;/Name&gt;
&lt;EncryptedData Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'&gt;
&lt;EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/&gt;
&lt;KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'&gt;
&lt;EncryptedKey xmlns='http://www.w3.org/2001/04/xmlenc#'&gt;
&lt;EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5'/&gt;
&lt;KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'&gt;
&lt;KeyName&gt;Sally Doe&lt;/KeyName&gt;
&lt;/KeyInfo&gt;
&lt;CipherData&gt;
&lt;CipherValue&gt;yMTEyOTA1M...&lt;/CipherValue&gt;
&lt;/CipherData&gt;
&lt;/EncryptedKey&gt;
&lt;/KeyInfo&gt;
&lt;CipherData&gt;
&lt;CipherValue&gt;ydUNqHkMrD...&lt;/CipherValue&gt;
&lt;/CipherData&gt;
&lt;/EncryptedData&gt;
&lt;/PaymentInfo&gt;</pre>
<p><strong>XML Encryption in WSS-Core</strong></p>
<p>WSS-Core is a specification under development by OASIS. The specification describes enhancements to SOAP messaging to provide quality of protection through message integrity, message confidentiality, and single message authentication. The message confidentiality is realized by encryption based on XML Encryption.</p>
<p>The WSS-Core specification allows encryption of any combination of body blocks, header blocks, their sub-structures, and attachments of a SOAP message. The specification also requires that when you encrypt parts of a SOAP message, you must prepend a reference from the security header block to the encrypted parts of the message. The reference can be a clue for a recipient to identify which encrypted parts of the message to decrypt.</p>
<p>The XML syntax of the reference varies according to what information is encrypted and how it is encrypted. For example, suppose that the CreditCard element in example 4 is encrypted with either a common secret key or the public key of the recipient.</p>
<p><strong>Example 4: Sample SOAP message</strong></p>
<pre>&lt;SOAP-ENV:Envelope
SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'
xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/'&gt;
&lt;SOAP-ENV:Body&gt;
&lt;PaymentInfo xmlns='http://example.org/paymentv2'&gt;
&lt;Name&gt;John Smith&lt;/Name&gt;
&lt;CreditCard Limit='5,000' Currency='USD'&gt;
&lt;Number&gt;4019 2445 0277 5567&lt;/Number&gt;
&lt;Issuer&gt;Example Bank&lt;/Issuer&gt;
&lt;Expiration&gt;04/02&lt;/Expiration&gt;
&lt;/CreditCard&gt;
&lt;/PaymentInfo&gt;
&lt;/SOAP-ENV:Body&gt;
&lt;/SOAP-ENV:Envelope&gt;</pre>
<p>The resulting SOAP messages are shown in examples 5 and 6. In these example, the ReferenceList and EncryptedKey elements are used as references, respectively.</p>
<p><strong>Example 5: SOAP message encrypted with a common secret key</strong></p>
<pre>&lt;SOAP-ENV:Envelope
SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'
xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/'&gt;
&lt;SOAP-ENV:Header&gt;
&lt;Security SOAP-ENV:mustUnderstand='1'
xmlns='http://schemas.xmlsoap.org/ws/2003/06/secext'&gt;
&lt;ReferenceList xmlns='http://www.w3.org/2001/04/xmlenc#'&gt;
&lt;DataReference URI='#ed1'/&gt;
&lt;/ReferenceList&gt;
&lt;/Security&gt;
&lt;/SOAP-ENV:Header&gt;
&lt;SOAP-ENV:Body&gt;
&lt;PaymentInfo xmlns='http://example.org/paymentv2'&gt;
&lt;Name&gt;John Smith&lt;/Name&gt;
&lt;EncryptedData Id='ed1'
Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'&gt;
&lt;EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/&gt;
&lt;KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'&gt;
&lt;KeyName&gt;John Smith&lt;/KeyName&gt;
&lt;/KeyInfo&gt;
&lt;CipherData&gt;
&lt;CipherValue&gt;ydUNqHkMrD...&lt;/CipherValue&gt;
&lt;/CipherData&gt;
&lt;/EncryptedData&gt;
&lt;/PaymentInfo&gt;
&lt;/SOAP-ENV:Body&gt;
&lt;/SOAP-ENV:Envelope&gt;</pre>
<p><strong>Example 6: SOAP message encrypted with public key of the recipient</strong></p>
<pre>&lt;SOAP-ENV:Envelope
SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'
xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/'&gt;
&lt;SOAP-ENV:Header&gt;
&lt;Security SOAP-ENV:mustUnderstand='1'
xmlns='http://schemas.xmlsoap.org/ws/2003/06/secext'&gt;
&lt;EncryptedKey xmlns='http://www.w3.org/2001/04/xmlenc#'&gt;
&lt;EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#rsa-1_5'/&gt;
&lt;KeyInfo xmlns='http://www.w3.org/2000/09/xmldsig#'&gt;
&lt;KeyName&gt;Sally Doe&lt;/KeyName&gt;
&lt;/KeyInfo&gt;
&lt;CipherData&gt;
&lt;CipherValue&gt;yMTEyOTA1M...&lt;/CipherValue&gt;
&lt;/CipherData&gt;
&lt;ReferenceList&gt;
&lt;DataReference URI='#ed1'/&gt;
&lt;/ReferenceList&gt;
&lt;/EncryptedKey&gt;
&lt;/Security&gt;
&lt;/SOAP-ENV:Header&gt;
&lt;SOAP-ENV:Body&gt;
&lt;PaymentInfo xmlns='http://example.org/paymentv2'&gt;
&lt;Name&gt;John Smith&lt;/Name&gt;
&lt;EncryptedData Id='ed1'
Type='http://www.w3.org/2001/04/xmlenc#Element'
xmlns='http://www.w3.org/2001/04/xmlenc#'&gt;
&lt;EncryptionMethod
Algorithm='http://www.w3.org/2001/04/xmlenc#tripledes-cbc'/&gt;
&lt;CipherData&gt;
&lt;CipherValue&gt;ydUNqHkMrD...&lt;/CipherValue&gt;
&lt;/CipherData&gt;
&lt;/EncryptedData&gt;
&lt;/PaymentInfo&gt;
&lt;/SOAP-ENV:Body&gt;
&lt;/SOAP-ENV:Envelope&gt;</pre>
<p><strong>Relationship to Digital Signature</strong></p>
<p>The WSS-Core specification also provides message integrity, which is realized by digital signature based on XML-Signature.</p>
<p><strong>Note:</strong> A combination of encryption and digital signature over common data introduces cryptographic vulnerabilities. See Section 6.1 of the XML Encryption specification for the details.</p>
</body>
</html>