W3C

XML Encryption 1.1 Interop Test Report

W3C Editor's Draft 19 October 2012

This version:
http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core1-interop/
Latest published version:
http://www.w3.org/TR/xmlenc-core1-interop/
Latest editor's draft:
http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core1-interop/
Editors:
Pratik Datta
Frederick Hirsch

Abstract

This document is the interop report for new features introduced in XML Encryption 1.1. It does not replicate interop testing performed for features retained from XML Encryption 1.0.

Status of This Document

This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at http://www.w3.org/TR/.

This document was published by the XML Security Working Group as an Editor's Draft. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe, archives). All feedback is welcome.

Publication as an Editor's Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

Table of Contents

1. Introduction

This document summarizes interop tests and the test results for new features introduced in XML Encryption 1.1 [XMLENC-CORE1]. Changes to XML Encryption introduced in XML Encryption 1.1 are summarized in a detailed change explanation document [XMLENC-CORE1-CHGS].

Items that were required or optional features of XML Encryption 1.0 were tested as part of XML Encryption 1.0 interop and are not included in XML Encryption 1.1 testing, even if the status was changed from optional to required (or vice versa).

Tests that are marked 'Y' are completed, 'U' means 'untested' and should not be taken to make a statement about the implementation (as testing may simply not have been performed for interop due to timing or other reasons).

2. Key Derivation

Key Derivation MethodIBMMicrosoft
ConcatKDFYY
PBKDF2YY

In these tests the content is encrypted with a symmetric key that is derived from another symmetric key. The key to be derived from is specified in the "Symmetric key" column below.

# Encryption Parameters CipherText Remarks
Plaintext Symmetric Key Content encryption
algorithm
Key Derivation
algorithm
DRV.1 KDF-test-data.txt 0001020304050607
1011121314151617
2021222324252627
3031323334353637
aes256-cbc ConcatKDF
SHA256
cipherText The symmetric key and plaintext are specified as hex strings.
DRV.2 KDF-test-data.txt PASSWORD aes256-cbc PBKDF2
hmac-sha256, iteration=1024, salt=specified
cipherText The symmetric key is the string "PASSWORD" converted into bytes.
DRV.3 clearText secret.concat.kdf aes256-cbc ConcatKDF
SHA256
cipherText The symmetric key and plaintext are specified as binary files.
DRV.4 clearText PASSWORD aes256-cbc PBKDF2
hmac-sha256, iteration=4096, salt=specified
cipherText The symmetric key is the string "PASSWORD" converted into bytes.

Note - ReferenceList, DerivedKeyName and MasterKeyName schema items were not used in these tests. Use of DerivedKey with RetrievalMethod was also not tested.

3. Key Agreement Algorithms

Key Agreement AlgorithmMicrosoftOracle
Elliptic Curve Diffie-Hellman (Ephemeral-Static mode)YY
Diffie-Hellman Key Agreement (Ephemeral-Static mode)YY

In these tests the

# Encryption Parameters CipherText Remarks
Plaintext Asymmetric Key
Pvt key file and password
Content encryption
algorithm
Key Wrapping
algorithm
Key Agreement
algorithm
Key Derivation
algorithm
AGRMNT.1 plaintext.xml EC-P256
pvtKey "passwd"
aes128-gcm kw-aes128 ECDH-ES ConcatKDF
SHA256
cipherText In the first three examples the key wrapping algorithm size matches the symmetric algorithm key size. This is not required, the AES key wrapping algorithms can encrypt any data that is a multiple of 64 bits.
AGRMNT.2 plaintext.xml EC-P384
pvtKey "passwd"
aes192-gcm kw-aes192 ECDH-ES ConcatKDF
SHA384
cipherText
AGRMNT.3 plaintext.xml EC-P521
pvtKey "passwd"
aes256-gcm kw-aes256 ECDH-ES ConcatKDF
SHA512
cipherText
AGRMNT.4 d9313225f88406e5 a55909c5aff5269a EC-P256
pvtKey "1234"
aes128-gcm kw-aes128 ECDH-ES ConcatKDF
SHA256
cipherText These three examples are very similar to the previous three, except that they encrypt binary data. The binary data is specified in the left column as a hex string.
AGRMNT.5 d9313225f88406e5 a55909c5aff5269a EC-P384
pvtKey "1234"
aes192-gcm kw-aes192 ECDH-ES ConcatKDF
SHA384
cipherText
AGRMNT.6 d9313225f88406e5 a55909c5aff5269a EC-P521
pvtKey "1234"
aes256-gcm kw-aes256 ECDH-ES ConcatKDF
SHA512
cipherText
AGRMNT.7 plaintext.xml DH-1024
pvtKey "passwd"
aes128-gcm kw-aes128 dh-es ConcatKDF
SHA256
cipherText This example encrypts with a Diffie Hellman key with the new algorithm #dh-es in which the key derivation function is explicitly specified.
AGRMNT.8 d9313225f88406e5 a55909c5aff5269a DH-2048
pvtKey in CNG blob format
aes256-gcm kw-aes256 dh-es ConcatKDF
SHA256
cipherText This example also uses the new algorithm #dh-es
AGRMNT.9 plaintext.xml EC-P256
pvtKey "passwd"
aes128-gcm kw-aes256 ECDH-ES PBKDF2
hmac-sha256, iteration=2000, salt=specified
cipherText This example uses EC keys, but not the ConcatKDF key derivation function. Instead it uses the PBKDF2 key derivation. Also notice that the encryption algorithm and key wrapping algorithm have different key lengths - 128 and 256 respectively . The PBKDF2 parameters specifies a key length of 32 to match the wrapping algorithm key length.
AGRMNT.10 plaintext.xml DH-1024
pvtKey "passwd"
aes128-gcm kw-aes128 dh-es PBKDF2
hmac-sha256, iteration=2000, salt=specified
cipherText This example encrypts with a Diffie Hellman key with PBKDF2 key derivation

4. Block Encryption Algorithms: AES-GCM

Block Encryption AlgorithmApache Santuario (C++)OracleMicrosoft
AES-128-GCMUYY
AES-192-GCMYYU
AES-256-GCMYYU
The details about the encryption key are embedded in the <KeyInfo>

The tests in section 6. RSA-OAEP Key Transport were used to interop test these block encryption algorithms.

In addition, the following test was also used. In this test the content is encrypted by the specified symmetric key:

# Encryption Parameters CipherText Remarks
Plaintext Symmetric Key Content encryption
algorithm
SYM.1 d9313225f88406e5
a55909c5aff5269a
feffe9928665731c
6d6a8f9467308308
aes128-gcm cipherText The plain text and the keys are specified as hex strings.

5. SHA Algorithms

This algorithm was tested as part of XML Signature 1.1 SHA interop testing [XMLDSIG-CORE1-INTEROP].

6. RSA-OAEP Key Transport

RSA-OAEP with specified MGF FunctionApache Santuario (C++)Oracle
RSA-OAEP with SHA-1YY
In these tests the
# Encryption Parameters CipherText Remarks
Plaintext Asymmetric Key
Pvt key file and password
Content encryption
algorithm
Key encryption
algorithm
WRAP.1 plaintext.xml RSA-2048
pvtKey "passwd"
aes128-gcm rsa-oaep-mgf1p
Digest:SHA256, MGF:SHA1
PSource: None
cipherText All the examples in this table use the new AES-GCM algorithm.
WRAP.2 plaintext.xml RSA-3072
pvtKey "passwd"
aes192-gcm rsa-oaep-mgf1p
Digest:SHA256, MGF:SHA1
PSource: None
cipherText In this example the OAEP digest method is specified as SHA256. The MFG algorithm is SHA1.
WRAP.3 plaintext.xml RSA-3072
pvtKey "passwd"
aes256-gcm rsa-oaep
Digest:SHA384, MGF:SHA1
PSource: None
cipherText This example uses the new #rsa-oaep algorithm that takes in explicit MGF algorithm. The MGF has been specified as SHA1.
WRAP.4 plaintext.xml RSA-4096
pvtKey "passwd"
aes256-gcm rsa-oaep
Digest:SHA512, MGF:SHA1
PSource: Specified 8 bytes
cipherText This also uses #rsa-oaep but has a 8 byte PSource explicitly defined .

7. Canonicalization Algorithms (previously interop tested)

The following algorithms were added in XML Encryption 1.1 but were not included in this round of interop testing as they have been previously tested during the development of the corresponding W3C Recommendation:

A. References

A.1 Informative references

[XML-C14N11]
John Boyer, Glenn Marcy. Canonical XML Version 1.1. 2 May 2008. W3C Recommendation. URL: http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/
[XMLDSIG-CORE1-INTEROP]
Frederick Hirsch XML Signature 1.1 Interop Test Report. 23 July 2012. W3C Editors Draft. (Work in progress.) URL: http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core1-interop/Overview.src.html
[XMLENC-CORE1]
J. Reagle; D. Eastlake; F. Hirsch; T. Roessler. XML Encryption Syntax and Processing Version 1.1. 18 October 2012. W3C Last Call Working Draft. (Work in progress) URL: http://www.w3.org/TR/2012/WD-xmlenc-core1-20121018/
[XMLENC-CORE1-CHGS]
Frederick Hirsch. Functional Explanation of in XML Encryption 1.1. 18 October 2012. W3C Working Group Note. URL: http://www.w3.org/TR/2012/NOTE-xmlenc-core1-explain-20121018/