XML Encryption Syntax and Processing

X.X The XMLNonce PI

Under some circumstances it is desireable to add entropy to plain text. For example, suppose a message digest of that plain text is exposed through a DigestMethod and DigestValue in a CipherData or ds:Reference element and only a "small" number of different plain texts are possible. This opens the possibility of discovery of that plain text via a "dictionary attck", i.e., the trying of every possible plain text value to determine which have the exposed message digest.

Where possible, the application should be so designed that the plain text includes sufficient entropy through identifying strings, serial numbers, date and time values, a nonce, etc. (A nonce is a quantity used only once.) Where this has not been done but the application will tolerate the insertion of a processing instruction (PI) in the encrypted or signed XML, the XMLNonce PI can be used to render dictionary attacks impractical. This PI is defined to have no effect and it's instruction (the characters after whitespace after the XMLNonce target) should be a sufficiently large random nonce so as to provide the needed entropy.

An example of an XMLNonce PI is as follows:

  <?XMLNonce av98jofpOS=;q@aOMo-p8hef?>

Note: Other possible syntaxes were considered. The problem with an xenc:Nonce attribute is that foreign namespace attributes are forbidden by default in Schema. Use of a new element would be even more problematic. And the problem with recommending use of an XML comment is that many security applications will, for good reason, use canonicalizations that remove comments.