W3C home > Mailing lists > Public > public-xmlsec@w3.org > May 2009

ACTION-290: Key encapsulation in XML encryption

From: Magnus Nyström <magnus@rsa.com>
Date: Mon, 18 May 2009 23:58:30 +0200 (W. Europe Daylight Time)
To: public-xmlsec@w3.org
Message-ID: <Pine.WNT.4.64.0905182259140.5096@W-JNISBETTEST-1.tablus.com>

This is in response to ACTION-290 that I took during the f2f last week.

When looking at this, the basic requirement would seem to be allowing use 
of key encapsulation when transporting encryption keys. A design goal 
should probably also be to allow re-use of the existing EncryptedKeyType.

One possibility is to define a new URI "KEM-KTS" (Key Encapsulation Method 
- Key Transport Scheme) for use as the "Algorithm" value in 
xenc:EncryptionMethod. Then, using the extensibility of the 
EncryptionMethodType, one could define a KeyEncapsulationMethodType that 
would define the necessary parameters:

- KeyDerivationMethod (re-using what is defined in Derived Key)
- KeyLength (possibly the "KeySize" element of EncryptionMethodType may be
- KeyWrapMethod (the algorithm used to wrap the actual content-encryption
   key using the derived key)
- Other (extensibility point)

KeyInfo would in the case of RSA contain the recipient's public key 
and in the case of ECC, it would contain a value of type AgreementMethod 
that in turn would contain the two ECDH params.

Here's a possible schema:

<element name="KeyEncapsulationMethod" type="kem:KeyEncapsulationMethodType"/>
<complexType name="KeyEncapsulationMethodType">
     <element ref="dkey:KeyDerivationMethod"/>
     <element ref="kem:KeyWrapMethod"/>
     <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
   <attribute name="Algorithm" type="anyURI" use="required"/>

<element name="KeyWrapMethod" type="kem:KeyWrapMethodType"/>
<complexType name="KeyWrapMethodType">
     <any namespace="##other" minOccurs="0" maxOccurs="unbounded"/>
   <attribute name="Algorithm" type="anyURI" use="required"/>


-- Magnus
Received on Monday, 18 May 2009 21:58:55 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:11 UTC