W3C home > Mailing lists > Public > public-xmlsec@w3.org > February 2010

RE: ACTION 515: Propose schema addition for ISSUE-186

From: Magnus Nystrom <mnystrom@microsoft.com>
Date: Thu, 25 Feb 2010 16:35:01 +0000
To: "aldrin.dsouza@rsa.com" <aldrin.dsouza@rsa.com>, "public-xmlsec@w3.org" <public-xmlsec@w3.org>
Message-ID: <D744D68428430B4F9C81DE8A4D595068070B50EE@TK5EX14MBXW602.wingroup.windeploy.ntdev.microsoft.com>
I think there should at least be an informal reference to the PKCS #5 v2.0 Amd.1 document since it does give the reader more background on the constructs and is the source of the XML schema herein.

-- Magnus


> -----Original Message-----
> From: public-xmlsec-request@w3.org [mailto:public-xmlsec-request@w3.org]
> On Behalf Of aldrin.dsouza@rsa.com
> Sent: Wednesday, February 24, 2010 10:31 PM
> To: public-xmlsec@w3.org
> Subject: ACTION 515: Propose schema addition for ISSUE-186
> 
> Here's the proposed text for section 5.4.2 of XML Encryption 1.1. As
> discussed, I've removed the reference to the PKCS#5 schema amendment
> document
> and copied the schema definitions (as defined there) inline. Please review.
> 
> --------------------------------------------------------------------------------
> 5.4.2 PBKDF2
> 
>   Identifier:
> 	http://www.w3.org/2010/xmlenc11#pbkdf2 (OPTIONAL)
> 
>   The PBKDF2 key derivation algorithm and the ASN.1 type definitions for
>   its parameters are defined in PKCS #5v2.0 [PKCS5]. The algorithm parameters
>   can be specified by enclosing them within an xmlenc11:PBKDF2-params child
>   element of the xmlenc11:KeyDerivationMethod element.
> 
> Schema Definition:
> 
>   <element name="PBKDF2-params" type="xmlenc11:PBKDF2ParameterType"/>
> 
>   <complexType name="AlgorithmIdentifierType">
>     <sequence>
>       <element name="Parameters" minOccurs="0"/>
>     </sequence>
>     <attribute name="Algorithm"/>
>   </complexType>
> 
>   <complexType name="PRFAlgorithmIdentifierType">
>     <complexContent>
>       <restriction base="AlgorithmIdentifierType">
>         <attribute name="Algorithm" type="anyURI"
> default="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
>       </restriction>
>     </complexContent>
>   </complexType>
> 
>   <complexType name="PBKDF2ParameterType">
>     <sequence>
>       <element name="Salt">
>         <complexType>
>           <choice>
>             <element name="Specified" type="base64Binary"/>
>             <element name="OtherSource"
> type="xmlenc11:AlgorithmIdentifierType"/>
>           </choice>
>         </complexType>
>       </element>
>       <element name="IterationCount" type="positiveInteger"/>
>       <element name="KeyLength" type="positiveInteger"/>
>       <element name="PRF" type="xmlenc11:PRFAlgorithmIdentifierType"/>
>     </sequence>
>   </complexType>
> 
>   The PBKDF2-params element and its child elements have the same names and
>   meaning as the corresponding components of the PBKDF2-params ASN.1 type
>   in [PKCS5].
> 
>   The AlgorithmIdentifierType corresponds to the AlgorithmIdentifier type
>   of [PKCS5] and carries the algorithm identifier in the Algorithm
>   attribute. Algorithm specific parameters, where applicable, can be
>   specified using the Parameters element.
> 
>   The PRFAlgorithmIdentifierType is derived from the
>   AlgorithmIdentifierType and constrains the choice of algorithms to those
>   contained in the PBKDF2-PRFs set defined in [PKCS5]. This type is used to
>   specify a pseudorandom function for PBKDF2 and the default PRF algorithm
>   (HMAC-SHA1) is the same as in [PKCS5]. It is RECOMMENDED to use
>   HMAC-SHA256 as the PRF algorithm (see [XML-DSIG], [HMAC]).
> 
>   An example of an xmlenc11:DerivedKey element with this key derivation
>   algorithm is:
> 
>   <xenc11:DerivedKey
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>     xmlns:xenc11="http://www.w3.org/2009/xmlenc11#">
>     <xenc11:KeyDerivationMethod
> Algorithm="http://www.w3.org/2010/xmlenc11#pbkdf2">
>       <xenc11:PBKDF2-params>
>         <xenc11:Salt>
>           <xenc11:Specified>Df3dRAhjGh8=</xenc11:Specified>
>         </xenc11:Salt>
>         <xenc11:IterationCount>2000</xenc11:IterationCount>
>         <xenc11:KeyLength>16</xenc11:KeyLength>
>         <xenc11:PRF
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#hmac-sha256"/>
>       </xenc11:PBKDF2-params>
>     </xenc11:KeyDerivationMethod>
>     <xenc:ReferenceList>
>       <xenc:DataReference URI="#ED"/>
>     </xenc:ReferenceList>
>     <xenc11:MasterKeyName>Our shared secret</xenc11:MasterKeyName>
>   </xenc11:DerivedKey>
> 
> References:
> 
>   [PKCS5]: http://www.w3.org/TR/xmlenc-core1/#ref-PKCS5
>   [XML-DSIG]: http://www.w3.org/TR/xmlenc-core1/#ref-XML-DSIG
>   [HMAC]: http://www.w3.org/TR/xmlenc-core1/#ref-HMAC
> --------------------------------------------------------------------------------
> 
> thanks,
> --
> ajd.
> 
Received on Thursday, 25 February 2010 16:35:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 25 February 2010 16:35:51 GMT