This section discusses algorithms used with the XML Encryption specification.
Entries contain the identifier to be used as the value of the
Algorithm attribute of the EncryptionMethod element or
other element representing the role of the algorithm, a reference to the formal
specification, definitions for the representation of keys and the results of
cryptographic operations where applicable, and general applicability comments.
All algorithms listed below have implicit parameters depending on their role. For example, the data to be encrypted or decrypted, keying material, and direction of operation (encrypting or decrypting) for encryption algorithms. Any explicit additional parameters to an algorithm appear as content elements within the element. Such parameter child elements have descriptive element names, which are frequently algorithm specific, and SHOULD be in the same namespace as this XML Encryption specification, the XML Signature specification, or in an algorithm specific namespace. An example of such an explicit parameter could be a nonce (unique quantity) provided to a key agreement algorithm.
This specification defines a set of algorithms, their URIs, and requirements for implementation. Levels of requirement specified, such as "REQUIRED" or "OPTIONAL", refere to implementation, not use. Furthermore, the mechanism is extensible, and alternative algorithms may be used.
The table below lists the categories of algorithms. Within each category, a brief name, the level of implementation requirement, and an identifying URI are given for each algorithm.
The RSAES-OAEP-ENCRYPT, as specified in RFC 2437 [PKCS1], algorithm takes two optional parameters: a message
digest function and an octet string OAEPparams. The message
digest function is indicated by the Algorithm attribute of a child
ds:DigestMethod element and and is used in the EME-OAEP-ENCODE
operation performed as part of RSAES-OAEP-ENCRYPT. If not provided, it defaults
to SHA1. The octet string is the base64
decoding of the content of an optional OAEPparams child element and
is used, along with SHA1, in the mask generation function performed as part of
EME-OAEP-ENCODE. If no OAEPparams child is provided, a null string is
used.
Schema Definition:
<element ref='ds:DigestMethod' minOccurs='0'/>
<element name='OAEPparams' minOccurs='0'
type='base64Binary'/>
An example of an RSA-OAEP element is:
<EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1-sha1-p">
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
<OAEPparams> 9lWu3Q== </OAEPparams>
<EncryptionMethod>
The CipherValue for an RSA-OAEP encrypted key is the base64 [MIME] encoding of the octet string computed as per RFC 2437
[PKCS1, section 7.1.1: Encryption operation]. As
described in the EME-OAEP-ENCODE function RFC 2437 [PKCS1, section 9.1.1.1], the value input to the key
transport function is calculated using the message digest function and string
specified in the DigestMethod and OAEPparams elements
and using the mask generator function MGF1 (with SHA1) specified in RFC 2437. The desired
output length for EME-OAEP-ENCODE is one byte shorter than the RSA modulus.
The transported key size is 192 bits for TRIPLEDES and 128, 192, or 256 bits for AES. Implementations MUST implement RSA-OAEP for the transport of 128 and 256 bit keys. They MAY implement RSA-OAEP for the transport of other keys.