XML Encryption

TroubleshootingTips

LANGUAGES: All .NET Languages

ASP.NET VERSIONS: All

XMLEncryption

TheXML Encryption Syntax and Processing Specification

By Don Kiely

As withdigital signatures, it has long been possible to encrypt any kind of electronicdata, yet the W3C has developed a specification for encrypting XML data. Why?Part of the reason is that the XML Encryption Syntax and ProcessingSpecification defines an XML syntax to contain information about the methodsused to encrypt the data so that you can embed it within XML. The other majorreason is that it allows you to encrypt only portions of XML data. The resultis that within a set of XML data you could have:

Thespecification even provides for super-encryption, in which encrypted data isencrypted a second time using different keys.

Say thatyou are developing an application for a pizza shop, using an XML file calledCustomers.xml. Here is a typical entry from that data:

       Kiely     Don     8 Hazelnut     Fairbanks     OR     99999     [email protected]      ...   Thisdata contains sensitive customer contact information that we don't want ourcompetitors or anyone else to discover. Yet we must transmit the data to thehome office in Elk Grove via the Internet. XML Encryption fits the bill. Itallows you to encrypt all or any part of XML data, leaving less sensitiveinformation in clear text. In this case, we want to encrypt the address, phone,and e-mail information, but leave the customer name and notes in clear text.Here is how it might look like when it is encrypted:          Kiely     Don           xmlns="http://www.w3.org/2001/04/xmlenc#">               "http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>               xmlns:ds="http://www.w3.org/2000/09/xmldsig#">                 "http://www.w3.org/2001/04/xmlenc#EncryptedKey"/>         Informant                       DEADBEEF                  Noticethat all the sensitive information is replaced with the XML tags defined in theXML Encryption standard, including the open and closing tags. So someone whointercepted this data wouldn't even know for sure whether the encrypted datawas something useful like a phone number or the customer's preference forgreasy meats.   Thereare a couple parts of the encrypted XML data to note: The element identifies the algorithm used to encrypt thedata. In this case it is the US National Institute of Standards andTechnology's (NIST) AES algorithm. The and elements contain the actualencrypted data.   Securityfor XML data is an immature technology. But you can take advantage of existingtechnologies today and emerging technologies in applications you develop in thefuture.   Don Kiely is senior technology consultantfor Information Insights, a business and technology consultancy in Fairbanks,AK. E-mail him at mailto:[email protected].