XML CRYPTOGRAPHY CS 795. NET Sunish Kotla [email protected].

XML CRYPTOGRAPHY CS795.NET

Sunish Kotla

[email protected]

OUTLINE

What is XML Encryption? Approaches to XML Encryption How Encrypted Data is Stored? Types of XML Encryption Benefits of Xml Cryptography

XML ENCRYPTION

W3C standard for encrypting XML elements.

Specification that defines how to encrypt data

Provides end-to-end security for applications that require secure exchange of structured data.

APPROACHES TO XML ENCRYPTION

Encrypt the xml using symmetric encryption only

Encrypt the xml using a combination of asymmetric

and symmetric encryption

Encrypt the xml using a X.509 Certificate

HOW ENCRYPTED DATA IS STORED?

Two approaches:

Whole element is replaced with an element named <EncryptedData>

Only the data in the element is replaced and its name remains readable in the document

XML DOCUMENT

ENCRYPTED CODE

NAMESPACES

System.Xml

System.Security.Cryptography

System.Security.Cryptography.Xml

ASYMMETRIC XML ENCRYPTION PROCESS

Select an element in an XML document (selecting the root will encrypt the whole document).

Encrypt the element using a symmetric encryption key, known as the session key.

Encrypt the session key using asymmetric encryption (the public key is used).

Create an EncryptedData element which will contain the encrypted data and the encrypted session key.

Replace the original element with the EncryptedData element.

ASYMMETRIC XML DECRYPTION PROCESS

Select the EncryptedData element in an XML document

Decrypt the session key using an asymmetric key (the private key is used)

Decrypt the cipher data using the unencrypted symmetric encryption.

Replace the EncryptedData element with the unencrypted element.

TYPES OF XML ENCRYPTION

Consider the following example: <?xml version='1.0'?>

<PaymentInfo xmlns='http://example.org/paymentv2'>

<Name>John Smith</Name>

<CreditCard Limit='5,000' Currency='USD'>

<Number>4019 2445 0277 5567</Number>

<Issuer>Example Bank</Issuer>

<Expiration>04/02</Expiration>

</CreditCard>

</PaymentInfo>

ENCRYPTING AN XML ELEMENT

<?xml version='1.0'?>

<PaymentInfo xmlns='http://example.org/paymentv2'> <Name>John Smith</Name>

<EncryptedDataType='http://www.w3.org/2001/04/xmlenc#Element' xmlns='http://www.w3.org/2001/04/xmlenc#'>

<CipherData>

<CipherValue>A23B45C56</CipherValue>

</CipherData>

</EncryptedData>

</PaymentInfo>

ENCRYPTING XML ELEMENT CONTENT

<?xml version='1.0'?>

<PaymentInfo xmlns='http://example.org/paymentv2'>

<Name>John Smith</Name>

<CreditCard Limit='5,000' Currency='USD'>

<EncryptedData xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData>

<CipherValue>A23B45C56</CipherValue>

</CipherData>

</EncryptedData>

</CreditCard>

</PaymentInfo>

ENCRYPTING XML ELEMENT CONTENT (CHARACTER DATA)

<?xml version='1.0'?> <PaymentInfo xmlns='http://example.org/paymentv2'>

<Name>John Smith</Name> <CreditCard Limit='5,000' Currency='USD'> <Number> <EncryptedData

xmlns='http://www.w3.org/2001/04/xmlenc#' Type='http://www.w3.org/2001/04/xmlenc#Content'> <CipherData>

<CipherValue>A23B45C56</CipherValue> </CipherData> </EncryptedData> </Number> <Issuer>Example Bank</Issuer>

<Expiration>04/02</Expiration> </CreditCard> </PaymentInfo>

BENEFITS OF XML CRYPTOGRAPHY

Encrypted data is maintained.

Session can be secured on the document level and shared between multiple parties.

Sensitive data is easily interchanged between applications.

REFERENCES

XML Encryption by By: Derek Smyth : http://dotnetslackers.com/articles/xml/XMLEncryption.aspx

XML Encryption Syntax and Processing By Takeshi Imamura , Blair Dillaway, Ed Simon

http://www.ibm.com/developerworks/xml/library/x-encrypt2/

http://www.devx.com/dotnet/Article/21564

Thank You!!!