W3C

XML Encryption Syntax and Processing

W3C Working Draft xx Foo 2001

This version:
http://www.w3.org/Encryption/2001/Drafts/xmlenc-core/
$Revision: 1.90 $ on $Date: 2001/12/13 21:50:15 $ GMT by $Author: reagle $
Latest version:
http://www.w3.org/TR/xmlenc-core/
Previous version:
http://www.w3.org/TR/2001/WD-xmlenc-core-20011018/
Editors
Donald Eastlake <dee3@torque.pothole.com>
Joseph Reagle <reagle@w3.org>
Authors
Takeshi Imamura <IMAMU@jp.ibm.com>
Blair Dillaway <blaird@microsoft.com>
Jim Schaad <jimsch5@home.com>
Ed Simon <edsimon@xmlsec.com>
Contributors
See participants.

Copyright ©2001 W3C® (MIT, INRIA, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.

Abstract

This document specifies a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption element which contains or references the cipher data.

Status of this document

This is an Editors' draft with no official standing.

This is Last Call for the "XML Encryption Syntax and Processing" specification from the XML Encryption Working Group (Activity). This version specifies the Working Group's approach to satisfying the requirements stemming from the March 2001 face-to-face meeting and subsequent discussion on the xml-encryption@w3.org mailing list. The Last Call period is 3 weeks, ending on 9 November 2001.

The Working Group will try to use a new namespace when changes in its syntax or processing are substantive. However, this namespace might be reused (prior to reaching Candidate Recommendation) by subsequent drafts in such a way as to cause instances using the namespace to become invalid or to change in meaning or affect the operation of existing software. Requests for a more stringent level of namespace stability should be made to the Working Group.

Publication of this document does not imply endorsement by the W3C membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite a W3C Working Draft as anything other than a "work in progress." A list of current W3C working drafts can be found at http://www.w3.org/TR/.

Please send comments to the editors (<reagle@w3.org>, <dee3@torque.pothole.com>) and cc: the list xml-encryption@w3.org (archives)

Patent disclosures relevant to this specification may be found on the Working Group's patent disclosure page in conformance with W3C policy.

Table of Contents

  1. Introduction
    1. Editorial and Conformance Conventions
    2. Design Philosophy
    3. Versions, Namespaces and Identifiers
    4. Acknowledgements
  2. Encryption Overview and Examples
    1. Encryption Granularity
      1. Encrypting an XML Element
      2. Encrypting XML Element Content (Elements)
      3. Encrypting XML Element Content (Character Data)
      4. Encrypting Arbitrary Data and XML Documents
      5. Super-Encryption: Encrypting EncryptedData
    2. EncryptedData and EncryptedKey Usage
      1. EncryptedData with Symmetric Key  (KeyName)
      2. EncryptedKey (ReferenceList, ds:RetrievalMethod,CarriedKeyName)
  3. Encryption Syntax
    1. The EncryptedType
    2. The CipherData Element
      1. The CipherReference Element
    3. The EncryptedData Element
    4. Extensions to ds:KeyInfo Element
      1. The EncryptedKey Element
      2. The ds:RetrievalMethod Element
    5. The ReferenceList Element
    6. The EncryptionProperties Element
  4. Processing Rules
    1. Encryption
    2. Decryption
    3. Encrypting XML
  5. Algorithms
    1. Algorithm Identifiers and Implementation Requirements
    2. Block Encryption Algorithms
    3. Stream Encryption Algorithms
    4. Key Transport
    5. Key Agreement
    6. Symmetric Key Wrap
    7. Message Digest
    8. Message Authentication
    9. Canonicalization
  6. Security Considerations
  7. Schema and Valid Examples
  8. References

5.6.3 AES KeyWrap

Identifiers and Requirements:
http://www.w3.org/2001/04/xmlenc#kw-aes128 (REQUIRED)
http://www.w3.org/2001/04/xmlenc#kw-aes192 (OPTIONAL)
http://www.w3.org/2001/04/xmlenc#kw-aes256 (REQUIRED)

Implementation of AES key wrap is described below, as suggested by NIST. It provides for confidentiality and integrity. This algorithm is defined only for inputs which are a multiple of 64 bits. The information wrapped need not actually be a key. The algorithm is the same whatever the size of the AES key used in wrapping, called the key encrypting key or KEK. The implementation requirements are indicated below.

KEK sizeWrapped key sizeRequirement
128128REQUIRED
128OtherOPTIONAL
192AnyOPTIONAL
256128RECOMENDED
256256REQUIRED
256OtherOptional

Assume tha the data to be wrapped consists of N 64-bit data blocks denoted P(1), P(2), P(3) ... P(N). The result of wrapping will be N+1 64-bit blocks denoted C(0), C(1), C(2), ... C(N). They key encrypting key is represented by K. Assume integers i, j, and t and intermediate 64-bit register A, 128-bit register B, and array of 64-bit quantities R(1) through R(N). "|" represents concatentation so x|y, where x and y and 64-bit quantities, is the 128-bit quantity with x in the most significant bits and y in the least significant bits. AES(K)enc(x) is the operation of AES encrypting the 128-bit quantity x under the key K. AES(K)dec(x) is the corresponding decryption opteration. XOR(x,y) is the bitwise exclusive or of x and y. MSB(x) and LSB(y) are the most significant 64 bits and least significant 64 bits of x and y respectively.

If N is 1, a single AES operation is performed for wrap or unwrap. If N>1, then 6*N AES operations are performed for warp or unwrap.

The key wrap algorithm is as follows:

  1. If N is 1: If N>1, perform the following steps:
  2. Initialize variables:
  3. Calculate intermediate values:
  4. Output the results:

The key unwrap algorithm is as follows:

  1. If N is 1: If N>1, perform the following steps:
  2. Initialize the variables:
  3. Calculate intermediate values:
  4. Output the results:

For example, wrapping the data 0x00112233445566778899AABBCCDDEEFF with the KEK 0x000102030405060708090A0B0C0D0E0F produces the ciphertext of 0x1FA68B0A8112B447, 0xAEF34BD8FB5A7B82, 0x9D3E862371D2CFE5.