W3C home > Mailing lists > Public > xml-encryption@w3.org > May 2002

Re: Draft registration for application/xenc+xml

From: Joseph Reagle <reagle@w3.org>
Date: Fri, 24 May 2002 14:57:35 -0400
To: Aaron Swartz <me@aaronsw.com>
Cc: Mark Baker <distobj@acm.org>, xml-encryption@w3.org
Message-Id: <20020524185736.55C00859F4@aeon.w3.org>
On Friday 24 May 2002 14:36, Aaron Swartz wrote:
> Doesn't this leak the fact that a PNG is encrypted? Is there any way to
> include this metadata inside the encrypted data?

It does. One could go down the alternative path of the EncryptedData being 
rather opaque:
1. The ciphertext when decrypted yields some sort of structure like:
<cleartext xmlns="http://example.org/020524>
  <MimeType>image/png</MimeType>
  <base64enc-Object>cafebabe...</base64enc-Object>
</cleartext>
2. and the application can then base64 decode to get the literal object 
that was encrypted.

However, this complicates the processing a bit, and we've already had to 
confront the issue of an adversary having a sense of the data type and 
structure (particularly when you encrypted a element within an XML 
document, no avoiding it there!) with the realization that you have to 
choose good algorithms and can not rely on this obscurity for security. 
(However, it's not all that much more complex, and if someone really wanted 
to do something like this, they could support such an extension within the 
current framework using the Type attribute [2]).

[2] http://lists.w3.org/Archives/Public/xml-encryption/2002Feb/0017.html

-- 

Joseph Reagle Jr.                 http://www.w3.org/People/Reagle/
W3C Policy Analyst                mailto:reagle@w3.org
IETF/W3C XML-Signature Co-Chair   http://www.w3.org/Signature/
W3C XML Encryption Chair          http://www.w3.org/Encryption/2001/
Received on Friday, 24 May 2002 14:58:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:21 GMT