Added Key Derivation

Added support for derived keys, in particular:

• Added definitions of Key Derivation algorithms
  • Added ConcatKDF algorithm.
  • Added PBKDF2 algorithm.
• Added XML DerivedKey element
• Updated RetrievalMethod description to include DerivedKey.
• Updated ReferenceList description to include DerivedKey.

Added Elliptic Curve Diffie-Hellman Key Agreement

• Added Elliptic Curve Diffie-Hellman Key Agreement

Added Algorithms

• Added AES-192-GCM Block Encryption as OPTIONAL.
• Added SHA-384 Message Digest as OPTIONAL
• Added Canonical XML 1.1 (omit comments) as OPTIONAL
• Added Canonical XML 1.1 with comments as OPTIONAL
• Added key derivation algorithms, ConcatKDF as REQUIRED, PBKDF2 as OPTIONAL.
• Added Key Agreements, Diffie-Hellman Key Agreement (Ephemeral-Static mode) with Legacy Key Derivation Function and explicit Key Derivation Functions as Optional, and Elliptic Curve Diffie-Hellman (Ephemeral-Static mode) as REQUIRED

For all algorithms added, algorithm identifiers and information were added to the specification.

Changed Algorithms

• Changed SHA-1 Message Digest to REQUIRED, but DISCOURAGED.
• Changed SHA-256 Message Digest to REQUIRED
• Changed AES-128-GCM Block Encryption as REQUIRED, added warning about use of CBC block encryption algorithms and reference to paper on attack.
• Changed RSA-v1.5 Key Transport to OPTIONAL and added note that "Implementation of RSA v1.5 is NOT RECOMMENDED due to security risks associated with the algorithm".
• Enabled RSA-OAEP Key Transport to be used with arbitrary mask generation functions (e.g. SHA2 based) by defining an additional RSA-OAEP URI and significantly revising specification text. Added definition of new xenc11:MGF element.
• Removed Message Authentication section (not normative)

Clarifications

• Clarified AES-GCM Block Encryption description of the algorithm as equivalent to encryption followed by signing.
• Revised processing rules section for clarity on aspects of processing model that are normative and those that are not.
• Clarified the Encoding attribute in the EncryptedType element.
• Clarified that the syntax of URI and Transforms in the CipherReference element is defined in XML Signature.
• Clarified that base64 encoded text is contained as element content when CipherValue element is used.

Security Considerations Changes

• Added security consideration information on Chosen Ciphertext Attacks, including attacks against encrypted data and encrypted key. Provide specific notes on CBC Block Encryption vulnerability, and the Bleichenbacher attack.
• Added new security consideration for implementations to limit information included in error responses for security algorithms.
• Added new security consideration warning implementers to consider timing attacks.

Other Changes

• Provided new 1.1 namespace for new 1.1 schema items
• Replaced normative SP800-56A reference (NIST Special Publication 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised). March 2007) for ECDH in Section 5.6.4 (Elliptic Curve Diffie-Hellman (ECDH) Key Agreement) with [[ECC-ALGS]] reference.
• Added informative appendix reserving identifiers for, and describing AES-128-pad, AES-192-pad, and AES-256-pad Symmetric Key Wrap algorithms.