Web Services Contraptions - Why XML Encryption is bad

Thursday, November 17, 2005

Now, here is an interesting talking point: XML Encryption (XMLEnc) is bad.

"Why?", you might ask. Well, in their lack of infinite wisdom, the XML encryption community left out a very important concept: Authenticated Encryption, i.e. combining signatures and encryption to produce ciphertext that maintains confidentiality and can be associated with a key (i.e. a subject/identity/principal/whatever). Section 6.1 in XMLEnc-Core reads:

"The application of both encryption and digital signatures over portions of an XML document can make subsequent decryption and signature verification difficult."

and

"[...] the interaction of encryption and signing is an application issue and out of scope of the specification."

So, essentially, AE is left as an exercise to the reader. This is not good, particular since AE is not too complex, and - in fact - quite well understood. See RFC 3961 (Kerberos) or "Authenticated Encryption ..." by M. Bellare et al.

Without AE, XML encryption is not complete and - for many real security applications - useless.

General | Security

Thursday, November 17, 2005 10:54:46 AM (Eastern Standard Time, UTC-05:00)

Comments [1] |

Thursday, November 17, 2005 4:43:26 PM (Eastern Standard Time, UTC-05:00)

CMS also (RFC3852) gets it right, so what's XMLenc's excuse?

Nico

Comments are closed.

Messages

Calendar

September 2008

Sun

Mon

Tue

Wed

Thu

Fri

Sat

Email Subscription

Blogroll

Constantin Gonzalez' Weblog

Adventures of an Eternal Optimist

Anyway

Conor's Web Log of Esoterica

del.icio.us/beuchelt

Don Box's Spoutlet

Enterprise Architecture: Thought Leadership

Harold Carr's Blog

Identity for All - On bits and bytes

James Gosling: on the Java Road

Jamie Lewis - CEO and Research Chair

Johannes Ernst's Blog

Kim Cameron's Identity Weblog

Kirill's notes

Links

Marc Hadley's Blog

meta-douglasp

Mike Jones: self-issued

Nicholas Allen's Indigo Blog

ongoing

Phil Windley's Technometria

Pushing String

Robin Wilton's esoterica

TechEd Iron Architect Contest

The Aquarium

Web Services Contraptions

xmldap

Links

Technorati Profile

On this page

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

In addition, my opinions can change. This weblog provides a momentary snapshot of such opinions. Existing posts that were written in the past do not necessarily reflect my current thoughts and opinions.

For the purposes of attribution, the author is "Gerald Beuchelt" and attribution shall provide a (clickable, where possible) URL to this site.

E-mail