XML Encryption facilitates the secure transmission of XML documents
between two application endpoints. Whereas traditional transport-level
encryption schemes, such as SSL and TLS, can only offer point-to-point
security, XML Encryption guarantees complete end-to-end security.
Encryption takes place at the application-layer and so the encrypted
data can be encapsulated in the message itself. The encrypted data can
therefore remain encrypted as it travels along its path to the target
Web Service. Furthermore, the data is encrypted such that only
its intended recipients can decrypt it.
To understand how the Enterprise Gateway decrypts XML encrypted messages, you
should first examine the format of an XML Encryption block. The following
example shows a SOAP message containing information about Oracle:
| | |
|
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<getCompanyInfo xmlns="www.oracle.com">
<name>Company</name>
<description>XML Security Company</description>
</getCompanyInfo>
</s:Body>
</s:Envelope>
| |
| | |
|
After encrypting the SOAP Body, the message is as follows:
| | |
|
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Header>
<Security xmlns="http://schemas.xmlsoap.org/ws/2003/06/secext" s:actor="Enc">
<!-- Encapsulates the recipient's key details -->
<enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
Id="00004190E5D1-7529AA14" MimeType="text/xml">
<enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04xmlenc#rsa-1_5">
<enc:KeySize>256</enc:KeySize>
</enc:EncryptionMethod>
<enc:CipherData>
<!-- The session key encrypted with the recipient's public key -->
<enc:CipherValue>
AAAAAJ/lK ... mrTF8Egg==
</enc:CipherValue>
</enc:CipherData>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:KeyName>sample</dsig:KeyName>
<dsig:X509Data>
<!-- The recipient's X.509 certificate -->
<dsig:X509Certificate>
MIIEZzCCA0 ... fzmc/YR5gA
</dsig:X509Certificate>
</dsig:X509Data>
</dsig:KeyInfo>
<enc:CarriedKeyName>Session key</enc:CarriedKeyName>
<enc:ReferenceList>
<enc:DataReference URI="#00004190E5D1-5F889C11"/>
</enc:ReferenceList>
</enc:EncryptedKey>
</Security>
</s:Header>
<enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#"
Id="00004190E5D1-5F889C11" MimeType="text/xml"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04xmlenc#aes256-cbc">
<enc:KeySize>256</enc:KeySize>
</enc:EncryptionMethod>
<enc:CipherData>
<!-- The SOAP Body encrypted with the session key -->
<enc:CipherValue>
E2ioF8ib2r ... KJAnrX0GQV
</enc:CipherValue>
</enc:CipherData>
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:KeyName>Session key</dsig:KeyName>
</dsig:KeyInfo>
</enc:EncryptedData>
<s:Envelope>
| |
| | |
|
The most important elements are as follows:
-
EncryptedKey : The EncryptedKey
element encapsulates all information relevant to the encryption key.
-
EncryptionMethod : The Algorithm
attribute specifies the algorithm that is used to encrypt the data. The
message data (EncryptedData ) is encrypted using the
Advanced Encryption Standard (AES) symmetric cipher,
but the session key (EncryptedKey ) is encrypted with
the RSA asymmetric algorithm.
-
CipherValue : The value of the encrypted data.
The contents of the CipherValue element are always
Base64 encoded.
-
KeyInfo : Contains information about the recipient
and his encryption key, such as the key name, X.509 certificate, and
Common Name.
-
ReferenceList : This element contains a list of
references to encrypted elements in the message. The ReferenceList
contains a DataReference element for each encrypted element,
where the value of a URI attribute points to the Id of the encrypted
element. In the previous example, you can see that the DataReference
URI attribute contains the value #00004190E5D1-5F889C11 , which
corresponds with the Id of the EncryptedData element.
-
EncryptedData : The XML element(s) or
content that has been encrypted. In this case, the SOAP
Body element has been encrypted, and so the
EncryptedData block has replaced the SOAP
Body element.
Now that you have seen how encrypted data can be encapsulated in an XML
message, it is important to discuss how this data gets encrypted in the
first place. When you understand how data is encrypted, the fields that
must be configured to decrypt this data become easier to understand.
When a message is encrypted, only the intended recipient(s) of the message
can decrypt it. By encrypting the message with the recipient's public key,
the sender can be guaranteed that only the intended recipient can decrypt
the message using his private key, to which he has sole access. This is
the basic principle behind asymmetric cryptography.
In practice, however, encrypting and decrypting data with a public-private
key pair is notoriously CPU-intensive and time consuming. Because of this,
asymmetric cryptography is seldom used to encrypt large amounts of data.
The following steps exemplify a more typical encryption process:
-
The sender generates a one-time symmetric (or
session) key which is used to encrypt the data. Symmetric key
encryption is much faster than asymmetric encryption and is far
more efficient with large amounts of data.
-
The sender encrypts the data with the symmetric key. This same key
can then be used to decrypt the data. It is therefore crucial that
only the intended recipient can access the symmetric key and
consequently decrypt the data.
-
To ensure that nobody else can decrypt the data, the symmetric
key is encrypted with the recipient's public key.
-
The data (encrypted with the symmetric key) and session key
(encrypted with the recipient's public key) are then sent together
to the intended recipient.
-
When the recipient receives the message he, decrypts the encrypted
session key using his private key. Because the
recipient is the only one with access to the private key, he is the
only one who can decrypt the encrypted session key.
-
Armed with the decrypted session key, the recipient can decrypt the
encrypted data into its original plaintext form.
Now that you understand how XML Encryption works, it is now time to learn
how to configure the Enterprise Gateway to decrypt XML encrypted messages. The
following sections describe how to configure the XML Decryption
Settings filter to decrypt encrypted XML data.
|