Changes to XML Encryption Syntax and Processing for XML Encryption 1.1

Frederick Hirsch <>
Magnus Nyström <>
$Date: 2012/09/10 21:37:48 $

Status of this Document

This document summarizes the changes that the XML Security Working Group has made to the XML Encryption Syntax and Processing Specification for XML Encryption 1.1.

Discussion of Changes

General Changes

Updated to use ReSpec.js

Updated formatting of examples.

Updated grammar replacing 'which' with 'that' as appropriate.

Corrected spelling as needed.

Cover page

Updated to Version 1.1, updated date and version links. Updated editor information to add Magnus Nyström and Kelvin Yiu as editors.

Status of this document

Updated to reflect status of 1.1 version.

Added information on patent advisory group and additional patent disclosures.

Table of Contents

Add subsections to section 3.5 for key derivation.

Add subsections to section 5 for algorithm subsections.

Split Section 10, References, into Normative and Informative reference subsections.

Add new security consideration sections for (a) Chosen-Ciphertext Attacks (both attacks against encrypted data and encrypted key), (b) use of error messages, (c) Timing attacks and (d) CBC Block Encryption Vulnerability.

Section 1.4 Acknowledgements

Update to Acknowledgements

2.1 Encryption Granularity

Added warning about examples regarding possible plaintext attacks.

2.1.4 Encrypting Arbitrary Data and XML Documents

Removed MimeType from EXI example, updated text before example with explanation.

2.2.1 EncryptedData with Symmetric Key (KeyName)

Fixed example, removing extra closing slash, per LC-2420.

3. Encryption Syntax

Removed (optional) URL from the DOCTYPEs.

3.1 The EncryptedType Element

Fixed typo, "descendants"

Added sentence at end of section regarding optional use of MimeType with EXI.

Modify text to clarify Encoding attribute.

3.3.1 The CipherReference Element

Clarified that the syntax of URI and Transforms is defined in XML Signature.

3.3 The CipherData Element

Clarified that the base64 encoded text is contained as element content when CipherValue element is used.

3.4 The EncryptedData Element

Add element content to the possibilities that also include replacement or a new document root.

3.5.1 The EncryptedKey Element

Change "is to" to "MUST" for "The value of the key MUST be the same in all EncryptedKey elements identified with the same CarriedKeyName label within a single XML document."

Fixed typos, "inherited", "unambiguous"

3.5.2 The DerivedKey element

Added new subsection describing this new ds:KeyInfo child.

Added the following:

3.5.3 The ds:RetrievalMethod element

Added DerivedKey to description of use of RetrievalMethod.

Removed fixed attribute in schema attribute definition.

Removed schema definition.

Section 3.6 The ReferenceList element

Added DerivedKey to section text.

Section 3.7 The EncryptionProperties element

Added section for EncryptionProperties Element identifier.

4. Processing Rules

Refactored 4.1-4.4 to clarify what parts of the processing model are normative and what aren't; adding Type parameter for EXI; adding processing for EXI.

Clarified text noting that encryption can often cause the document with encrypted parts to become invalid with respect to its schema.

Section 4.5 XML Encryption

To avoid possible confusion with encryption transforms, changed "transforms on octets" to "operations on octets" in first paragraph.

Changed "MANDATORY to" to "be required by" for discussion of what other specifications might require.

Section 4.5.4 Text Wrapping

Fixed typo, removed " fed is".

5.1 Algorithm Identifiers and Implementation Requirements

Changed RSA v1.5 from Required to Optional and added warning note.

Added AES-128-GCM as REQUIRED, added warning about use of CBC block encryption algorithms and reference to paper on attack.

Added AES-192-GCM as OPTIONAL.


Changed SHA-256 to REQUIRED

Added SHA-384 as OPTIONAL

Added Canonical XML 1.1 (omit comments) as OPTIONAL

Added Canonical XML 1.1 with comments as OPTIONAL

Removed Message Authentication (not normative)

Added key derivation algorithms, ConcatKDF as REQUIRED, PBKDF2 as OPTIONAL.

Added Key Agreements, Diffie-Hellman Key Agreement (Ephemeral-Static mode) with Legacy Key Derivation Function and explicit Key Derivation Functions as Optional, and Elliptic Curve Diffie-Hellman (Ephemeral-Static mode) as REQUIRED,

Fixed typo, "refer"

5.2.4 AES-GCM

Added AES-GCM algorithms, Clarified description of algorithm as equivalent to encryption followed by signing.

5.4 Key Derivation

New section added defining two key derivation algorithms, ConcatKDF and PBKDF2.

5.4.2 PBKDF2

Removed default from PRFAlgorithmIdentifierType. Added recommendation to use HMAC-SHA256 with PBKDF2 instead of HMAC-SHA1.

Added type='anyURI' to Algorithm attribute for AlgorithmIdentifierType.

Added type="anyType" Algorithm attribute for Paremeters element in the AlgorithmIdentifier type, making default clear.

Added clarifying note that the PartyUInfo component shall include a nonce when ConcatKDF is used in conjunction with a static-static Diffie-Hellman key agreement scheme.

5.5.1 RSA Version 1.5

Updated RFC 2437 to RFC 3447. Adjusted section reference appropriately.

Added CipherValue to CipherData example.

Revised normative language requiring support of 192-bit TRIPLEDES keys to use MUST.

Clarified note related to base64 algorithm uses.

For Key Transport, added optional RSA-OAEP algorithm that allows defined MGF; retained existing mandatory RSA-OAEP algorithm, adding notation that this is for fixed MGF1 with SHA1.

5.5.2 RSA-OAEP

Updated RFC 2437 to RFC 3447. Adjusted section references appropriately.

Updated example to have no spaces in OAEPparams element content.

Revised to enable RSA-OAEP with arbitrary mask generation function (e.g. SHA2 based) by defining additional RSA-OAEP URI and significantly revising text. Added definition of new xenc11:MGF element.

Added URI definitions for mask generation function with various SHA algorithms.

Revised text to clarify that implementations must support all mandatory key lengths, enabling longer key length usage.

Removed replication of partial schema example, refering instead to section 3.2 (EncryptionMethod Element) with the full definition, to avoid potential confusion.

5.6 Key Agreement

Added paragraph on declaration of Key derivation algorithms using xenc11:KeyDerivationMethod using the xenc:AgreementMethodType.

Updated example to include KeyDerivationMethod.

5.6.2 Diffie-Hellman Key Agreement

Moved identifier from this section to new section on legacy KDF, section

Modified discussion to include use of KDF to produce secret key using explicit or legacy KDFs.

Clarified implementation requirements. Diffie-Hellman Key Agreement with explicit Key Derivation Functions

New section describing explicit key derivation functions. Diffie-Hellman Key Agreement with Legacy Key Derivation Function

New section containing identifier and original material for KDF described in previous version of XML Encryption. Clarified implementation requirement.

5.6.3 Elliptic Curve Diffie-Hellman (ECDH) Key Values

New section defining ECDH key value URI and use.

5.6.4 Elliptic Curve Diffie-Hellman (ECDH) Key Agreement (Ephemeral-Static Mode)

New section defining ECDH-ES key agreement algorithm URI and use.

5.7 Symmetric Key Wrap

Revised introduction paragraph and description for clarity.

Removed Section 5.6.1 - Checksums - as it was not required after making the change to 5.6.2 and 5.6.3 (see below).

Removed detailed, step-by-step description of Triple-DES key wrap from (what used to be) 5.6.2, replaced with reference to IETF RFC 3217.

Removed detailed, step-by-step description of AES key wrap from (what used to be) 5.6.3, replaced with reference to RFC 3397.

Section 5.7.3: Changed reference from DRAFT-HOUSLEY-KW-PAD to AES-WRAP-PAD to match changed tag associated with RFC publication.

5.8 Message Digest

Added text to explain reason for discouraging use of SHA-1.

5.8.1 SHA1

Removed REQUIRED for SHA1.

5.8.2 SHA256


5.8.3 SHA384

Added new section for SHA384.

Message Authentication (section 5.8 in previous version of XML Encryption)

Section deleted as per resolution on WG call 20090602.

5.9.1 Inclusive Canonicalization

Added XML Canonicalization 1.1 (both omitting and with comments)

6 Security Considerations

Renumbered sections, added new sections for (a) Chosen-Ciphertext Attacks (both attacks against encrypted data and encrypted key), (b) use of error messages, (c) Timing attacks and (d) CBC Block Encryption Vulnerability.

6.1 Chosen-Ciphertext Attacks

New section on Chosen Ciphertext Attacks, including attacks against encrypted data and encrypted key.

6.1.1 Attacks against the encrypted data (<EncryptedData> part)

New section on CBC-based chosen ciphertext attack.

6.1.2 Attacks against the encrypted key (Bleichenbacher's Million question attack on PKCS#1.5)

New section on applying the Bleichenbacher's attack is to get the symmetric secret key, which is encrypted in the <EncryptedKey>.

6.2 Relationship to XML Digital Signatures

Fixed typo, space between [Davis] reference and period.

6.4 Nonce and IV (Initialization Value or Vector)

Fixed typos, "initialization", "resistance"

Added warning related to CBC chosen ciphertext attacks and note on GCM IV initialization.

6.7 Error Messages

New security consideration for implementations to limit information included in error responses for security algorithms.

6.8 Timing Attacks

New security consideration warning implementers to consider timing attacks.

6.9 CBC Block Encryption Vulnerability

New security consideration warning implementers regarding CBC Block Encryption vulnerability.

8.2 application/xenc+xml Registration

Changed "MIME media type name" to "Type name" and "MIME subtype name" to "Subtype name"

Added reference to XML Encryption 1.1 as well as XML Encryption 1.0

Changed contact information from Joseph Reagle to "World Wide Web Consortium <web-human at>"

Changed to avoid normative self reference, by changing reference to XML Encryption 1.1 in text from "[XMLENC-CORE1]" to "(XMLENC-CORE1, this document)".

9. Schema and Valid Examples

Fixed typo, "exercises"

Added XML Encryption 1.1 XSD Schema instance

Removed "Examples" from section title.

Noted that example is not normative.

A. Reserved Algorithm Identifiers

Added a new informative Appendix A for "Reserved Algorithm Identifiers" with algorithm identifiers and description for AES-128/192/256-pad symmetric key wrap.

Added AES-128|192|256-pad key wrap mechanisms as OPTIONAL.

B. References

Split references section into normative and informative sections.

Added links for references

Updated all references, including updates noted specifically here.

Updated SHA reference to FIPS-186-3

Updated XML Signature reference to XML Signature 1.1

Updated Glossary RFC 2828 to RFC 4949

Added Media Types RFC 3023 update to MIME-REG RFC 2048 reference

Updated UTF-8 RFC 2279 to RFC 3629

Updated URI RFC 3406 to RFC 3986

Updated X509v3 from ISO/IEC 9594-8:1997 to 9594-8:2001, added link

Updated RFC 1750 to RFC 4086

Updated RFC 239x6 to RFC 3986

Updated RFC 2437 to RFC 3447

Updated Reference for FIPS-186-3 to reflect final publication.

Added reference to recent work on SHA-1 analysis (to be changed once paper appears on

Updated the following references to reflect final publication: AES-WRAP, SHA, XML-DSIG, XMLDSIG11, Glossary, MIME-REG, XML 1.0 and UTF-8.

Replaced reference DRAFT-HOUSLEY-KW-PAD with AES-WRAP-PAD now that the reference has been published as RFC 5649.

Added web link for ANSI X9.52.

Removed the old XML Signature reference, retaining only reference for Signature 1.1, naming it XML-DSIG.

Added informative reference to ANSI X9.44-2007.

Added D. McGrew, K. Igoe, M. Salter. reference for ECC-ALGS, Fundamental Elliptic Curve Cryptography Algorithms.

Reformatted and sorted by using ReSpec.js bibliography tool (updated common bibliography)

Updated reference, in particular link, for RIPEMD-160.

RFC 2633 obsoleted by RFC 3851 (S/MIME v3 to v3.1), reference updated.

RFC 2048 obsoleted by RFC 4289 (MIME Part 4 registration procedures), reference updated.

Updated XML Security RELAX-NG reference to refer to April 2011 publication.

Update RELAXNG-SCHEMA reference.

Added RFC 4055 reference.

Added reference to "How to Break XML Encryption" paper.

Added reference to RFC 3218, "Preventing the Million Message Attack on Cryptographic Message Syntax".

Added reference to Manger, "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0".

Added reference to paper by Juraj Somorovsky, Jörg Schwenk. "Technical Analysis of Countermeasures against Attack on XML Encryption - or - Just Another Motivation for Authenticated Encryption". 2011.

Added SP800-67 reference, updated to 2012 version.