W3C-XML-ENCRYPTION
W3C XML Encryption XML-Enc XML encryption.
Definition
XML-Enc structure: <EncryptedData> root element XML namespace 'http://www.w3.org/2001/04/xmlenc#'. Children: <EncryptionMethod> (algorithm URI), <KeyInfo> (X509Certificate, EncryptedKey reference), <CipherData> (CipherValue ciphertext base64 or CipherReference). Standard algorithms: Block Encryption (AES-128-CBC, AES-256-CBC, Triple DES, AES-GCM 1.1+), Key Transport (RSA-OAEP, RSA-v1.5), Key Agreement (DH ECDH-ES), Symmetric Key Wrap (AES-KW, Triple DES-KW). XML Encryption can encrypt: (1) Whole XML Document, (2) Entire XML Element, (3) XML Element Content only (keep tags clear), (4) Arbitrary binary data. Combination usage patterns: (a) Use XML-Enc encrypt sensitive payload + XML-DSig sign whole document = encrypted + signed Web Service messages WS-Security ; (b) SAML encrypted assertions Identity Federation. Historic vulnerabilities: padding oracle attacks XML-Enc 1.0 (CBC mode), Backwards compatibility attack via Decryption Transform fixed XML-Enc 1.1 + W3C errata.
Origin
W3C XML Encryption Working Group 2001 ; XML Encryption 1.0 W3C Recommendation 10 December 2002 ; XML Encryption 1.1 W3C Recommendation 11 April 2013 (post padding oracle vulnerabilities discoverable fix).
Example in context
ADP Payroll SOAP Web Service uses WS-Security with XML-Enc + XML-DSig to transmit employee salary data B2B clients: SSN + salary amount encrypted via XML-Enc AES-256-GCM, message signed XML-DSig, TLS transmission, end-to-end encryption.
Related terms
- W3C XML Signature — signature complement.