W3C home > Mailing lists > Public > public-xmlsec@w3.org > February 2010

ACTION 515: Propose schema addition for ISSUE-186

From: <aldrin.dsouza@rsa.com>
Date: Thu, 25 Feb 2010 01:31:04 -0500
Message-ID: <901E1BC8E8EF9345BB8FB1EE99D0F31605D58F1A@CORPUSMX70B.corp.emc.com>
To: <public-xmlsec@w3.org>
Here's the proposed text for section 5.4.2 of XML Encryption 1.1. As 
discussed, I've removed the reference to the PKCS#5 schema amendment document 
and copied the schema definitions (as defined there) inline. Please review.

--------------------------------------------------------------------------------
5.4.2 PBKDF2

  Identifier:
	http://www.w3.org/2010/xmlenc11#pbkdf2 (OPTIONAL)

  The PBKDF2 key derivation algorithm and the ASN.1 type definitions for
  its parameters are defined in PKCS #5v2.0 [PKCS5]. The algorithm parameters
  can be specified by enclosing them within an xmlenc11:PBKDF2-params child
  element of the xmlenc11:KeyDerivationMethod element.

Schema Definition:

  <element name="PBKDF2-params" type="xmlenc11:PBKDF2ParameterType"/>

  <complexType name="AlgorithmIdentifierType">
    <sequence>
      <element name="Parameters" minOccurs="0"/>
    </sequence>
    <attribute name="Algorithm"/>
  </complexType>

  <complexType name="PRFAlgorithmIdentifierType">
    <complexContent>
      <restriction base="AlgorithmIdentifierType">
        <attribute name="Algorithm" type="anyURI" 
default="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
      </restriction>
    </complexContent>
  </complexType>

  <complexType name="PBKDF2ParameterType">
    <sequence>
      <element name="Salt">
        <complexType>
          <choice>
            <element name="Specified" type="base64Binary"/>
            <element name="OtherSource" 
type="xmlenc11:AlgorithmIdentifierType"/>
          </choice>
        </complexType>
      </element>
      <element name="IterationCount" type="positiveInteger"/>
      <element name="KeyLength" type="positiveInteger"/>
      <element name="PRF" type="xmlenc11:PRFAlgorithmIdentifierType"/>
    </sequence>
  </complexType>

  The PBKDF2-params element and its child elements have the same names and
  meaning as the corresponding components of the PBKDF2-params ASN.1 type
  in [PKCS5].

  The AlgorithmIdentifierType corresponds to the AlgorithmIdentifier type
  of [PKCS5] and carries the algorithm identifier in the Algorithm
  attribute. Algorithm specific parameters, where applicable, can be
  specified using the Parameters element.

  The PRFAlgorithmIdentifierType is derived from the
  AlgorithmIdentifierType and constrains the choice of algorithms to those
  contained in the PBKDF2-PRFs set defined in [PKCS5]. This type is used to
  specify a pseudorandom function for PBKDF2 and the default PRF algorithm
  (HMAC-SHA1) is the same as in [PKCS5]. It is RECOMMENDED to use
  HMAC-SHA256 as the PRF algorithm (see [XML-DSIG], [HMAC]).

  An example of an xmlenc11:DerivedKey element with this key derivation
  algorithm is:

  <xenc11:DerivedKey
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
    xmlns:xenc11="http://www.w3.org/2009/xmlenc11#">
    <xenc11:KeyDerivationMethod 
Algorithm="http://www.w3.org/2010/xmlenc11#pbkdf2">
      <xenc11:PBKDF2-params>
        <xenc11:Salt>
          <xenc11:Specified>Df3dRAhjGh8=</xenc11:Specified>
        </xenc11:Salt>
        <xenc11:IterationCount>2000</xenc11:IterationCount>
        <xenc11:KeyLength>16</xenc11:KeyLength>
        <xenc11:PRF 
Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
      </xenc11:PBKDF2-params>
    </xenc11:KeyDerivationMethod>
    <xenc:ReferenceList>
      <xenc:DataReference URI="#ED"/>
    </xenc:ReferenceList>
    <xenc11:MasterKeyName>Our shared secret</xenc11:MasterKeyName>
  </xenc11:DerivedKey>

References:

  [PKCS5]: http://www.w3.org/TR/xmlenc-core1/#ref-PKCS5
  [XML-DSIG]: http://www.w3.org/TR/xmlenc-core1/#ref-XML-DSIG
  [HMAC]: http://www.w3.org/TR/xmlenc-core1/#ref-HMAC
--------------------------------------------------------------------------------

thanks,
--
ajd.



Received on Thursday, 25 February 2010 06:31:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 25 February 2010 06:31:56 GMT