5. Algorithms

This section discusses algorithms used with the XML encryption specification. Entries contain the identifier to be used as the value of the Algorithm attribute of the EncryptionMethod element or other elements representing the role of the algorithm, a reference to the formal specification, and definitions, where applicable, for the representation of keys and the results of cryptographic operations.

5.1 Algorithm Identifiers and Implementation Requirements

All algorithms listed below have implicit parameters depending on their role. For example, the data to be encrypted or decrypted, keying material, and direction of operation (encrypting or decrypting) for encryption algorithms. Any explicit additional parameters to an algorithm appear as content elements within the role element. Such parameter elements have a descriptive element name, which is frequently algorithm specific, and MUST be in the same namespace as the role element or in an algorithm specific namespace. An example of such an explicit parameter could be an encryption initialization vector (IV) although for all encryption algorithms specified herein, the IV appears as part of the "cipher text" block.

This specification defines a set of algorithms, their URIs, and requirements for implementation. Requirements are specified over implementation, not over requirements for encryption use. Furthermore, the mechanism is extensible, alternative algorithms may be used by signature applications.

No stream encryption algorithms are sepcified.

5.2 Block Encryption Algorithms With & Without Integrity

Block encryption algorithms take, as implicit arguments, the data to encrypted or decrypted the keying material and their direction of operation. Any initialization vector required is included in the cipher text. They are designed for encrypting and decrypting data. Their identifiers appear as the value of the Algorithm attributes of EncryptionMethod elements that are children of EncryptedData.

Optionally, a message digest of the IV and plain text can be included at the end of and as part of the cipher text on encryption and checked on decryption as indicated by a different algorithm idenitifer. Such an integrity check may not be needed if integrity is assured by a digital signature.

5.2.1 Triple DES

Identifiers:

http://www.w3.org/2001/04/xmlenc#3des
http://www.w3.org/2001/04/xmlenc#3des-sha1

Without Integrity:
The triple DES algorithm is described in ANSI X9.52 [3DES]. It is composed of three sequential DES [DES] operations. The XML Encryption 3DES encryption consists of a DES encrypt, a DES decrypt, and a DES encrypt used in the Cipher Block Chaining (CBC) mode with 168 bits of key and a 64 bit Initialization Vector (IV). Of the key bits, the first 56 are used in the first DES operation, the second 56 bits in the middle DES operation, and the third 56 bits in the last DES operation. The resulting cipher text is prefixed by the IV before being encoded in base64 for inclusion in XML output. Implementation of 3DES without integrity for data encryption is mandatory. An example 3DES EncryptionMethod is as follows:

   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#3des"/>

With Integrity:
Triple DES with integrity is as above except that a SHA1 message digest is appended to the end of and encoded with the cipher text. This message digest is over the plain text prefixed by the IV. This message digest MUST be verfied on decryption and a failure reported if the verification fails. Implementation of 3DES with SHA1 is optional.

5.2.2 AES

Identifiers:

http://www.w3.org/2001/04/xmlenc#aes
http://www.w3.org/2001/04/xmlenc#aes-sha256

Without Integrity:
The AES algorithm is described in [AES]. XML Encryption implementations MUST support AES with 128 bit keys. (and may optionally support 196 and 256 bit keys?). AES is used in the Cipher Block Chaining (CBC) mode with a 128 bit Initialization Vector (IV). The resulting cipher text is prefixed by the IV before being encoded in base64 for inclusion in XML output. Implementation of AES without integrity for data encryption is mandatory. An example AES EncryptionMethod is as follows:

   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes"/>

With Integrity:
AES with integrity is as above except that a SHA256 message digest is appended to the end of and encoded with the cipher text as specified above. This message digest is over the plain text prefixed by the IV. This message digest MUST be verfied on decryption and a failure reported if the verification fails. Implementation of AES with SHA256 is optional.

5.3 Key Transport

Key Transport algorithms are public key encryption algorithms especially specified for encrypting and decrypting keys. Their identifiers appear as Algorithm attributes to EncryptionMethod elements that are children of EncryptedKey.

5.3.1 RSA Version 1.5 with Triple DES

Identifier:

http://www.w3.org/2001/04/xmlenc#rsa-1_5-3des

This is the RSAES-PKCS1-v1_5 algorithm described in RFC 2437 [PKCS1]. The RSA algorithm takes no explicit parameters. An example of an RSA Version 1.5 with Triple DES EncryptionMethod element is:

   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5-3des"/>

   CRYPT ( PAD ( KEY ))

   02 | PS* | 00 | key

   <CipherData> IWijxQjUrcXBYoCei4QxjWo9Kg8D3p9tlWoT4
   t0/gyTE96639In0FZFY2/rvP+/bMJ01EArmKZsR5VW3rwoPxw=
</CipherData>

5.3.2 RSA-OAEP with AES

Identifier:

http://www.w3.org/2001/04/xmlenc#rsa-oaep-aes

This is the RSAES-OAEP-ENCRYPT algorithm described in RFC 2437 [PKCS1]. The RSA algorithm takes no explicit parameters. An example of an RSA SignatureMethod element is:

   <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-aes"/>

5.4 Key Agreement

5.4.1 Diffie-Hellman

Identifiers:

http://www.w3.org/2001/04/xmlenc#dh

(To Be Described)

Diffie-Hellman key agreement is optional to implement.

5.5 Symmetric Key Wrap

Symmetric Key Wrap algorithms are secret key encryption algorithms especially specified for encrypting and decrypting keys. Their identifiers appear as Algorithm attributes to EncryptionMethod elements that are children of EncryptedKey.

5.5.1 CMS Key Checksum

Some specific key wrap algorithms given below make use of the Key Checksum defined in CMS [RFC 2630bis]. This is used to provide an integrity check value for the key being wrapped. The algorithm is

1. Compute the 20 octet SHA-1 hash on the key being wrapped.
2. Use the first 8 octets of this hash as the checksum value.

5.5.2 CMS Triple DES Key Wrap

Identifiers:

http://www.w3.org/2001/04/xmlenc#kw-3des

The following algorithm wraps (encryptes) a 3DES key (the wrapped key, WK) under a 3DES key-encryption-key (KEK). The sequence of steps is as follows:

1. Represent the 168 bits of the key being wrapped as 24 octets (192 bits) by inserting an odd parity bit as the bottom bit of each octet.
2. Compute the key checksum defined in 5.5.1 above, call this CKS.
3. Let WKCKS = WK || CKS where || is concatenation.
4. Generate 8 random octets and call this IV.
5. Encrypt WKCKS in CBC mode using KEK as the key and IV as the initialization vector. Call the results TEMP1.
6. Left TEMP2 = IV || TEMP1.
7. Reverse the order of the octets in TEMP2 and call the result TEMP3.
8. Encrypt TEMP3 in CBC mode using the KEK and an initialization vector of 0x4adda22c79e82105. The resulting ciphertext is the desired result. It is 40 octets long.

The following algorithm unwraps (decyrptes) a 3DEC key... (to be completed)

5.5.3 CMS RC2 Key Wrap

Identifiers:

http://www.w3.org/2001/04/xmlenc#kw-rc2

(To be completed.)

5.5.4 AES KeyWrap

Identifiers:

http://www.w3.org/2001/04/xmlenc#kw-aes

5.6 Message Authentication

5.7 Canonicalization

If XML is to be encrypted and later decrypted into a different environment and it is desired to preserve such aspects of its original environment as namespace prefix bindings, the value of attributes in the "xml" namespace, etc., then it is RECOMMENDED that the Canonical XML version of the XML be what is encrypted.