- This version:
- http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core1-interop/
- Latest published version:
- http://www.w3.org/TR/xmlenc-core1-interop/
- Latest editor's draft:
- http://www.w3.org/2008/xmlsec/Drafts/xmlenc-core1-interop/
- Editors:
- Pratik Datta
- Frederick Hirsch

Copyright ©
2012
W3C^{®}
(MIT,
ERCIM,
Keio), All Rights Reserved.
W3C liability,
trademark and
document use rules apply.

This document is the interop report for new features introduced in XML Encryption 1.1. It does not replicate interop testing performed for features retained from XML Encryption 1.0.

*This section describes the status of this document at the time of its publication. Other
documents may supersede this document. A list of current W3C publications and the latest revision
of this technical report can be found in the W3C technical reports
index at http://www.w3.org/TR/.*

This document was published by the XML Security Working Group as an Editor's Draft. If you wish to make comments regarding this document, please send them to public-xmlsec@w3.org (subscribe, archives). All feedback is welcome.

Publication as an Editor's Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document summarizes interop tests and the test results for new features introduced in XML Encryption 1.1 [XMLENC-CORE1]. Changes to XML Encryption introduced in XML Encryption 1.1 are summarized in a detailed change explanation document [XMLENC-CORE1-CHGS].

Items that were *required* or *optional* features of XML Encryption 1.0
were tested as part of XML Encryption 1.0 interop and are not included in XML
Encryption 1.1 testing, even if the status was changed from *optional*
to *required* (or vice versa).

Tests that are marked 'Y' are completed, 'U' means 'untested' and should not be taken to make a statement about the implementation (as testing may simply not have been performed for interop due to timing or other reasons).

- Add ConcatKDF algorithm (
*required*algorithm) - Add PBKDF2 algorithm (
*optional*algorithm) - Add XML
`DerivedKey`

element

Key Derivation Method | IBM | Microsoft |
---|---|---|

ConcatKDF | Y | Y |

PBKDF2 | Y | Y |

In these tests the content is encrypted with a symmetric key that is derived from another symmetric key. The key to be derived from is specified in the "Symmetric key" column below.

# | Encryption Parameters | CipherText | Remarks | |||
---|---|---|---|---|---|---|

Plaintext | Symmetric Key | Content encryption algorithm |
Key Derivation algorithm |
|||

DRV.1 | KDF-test-data.txt | 0001020304050607 1011121314151617 2021222324252627 3031323334353637 |
aes256-cbc | ConcatKDF SHA256 |
cipherText | The symmetric key and plaintext are specified as hex strings. |

DRV.2 | KDF-test-data.txt | PASSWORD | aes256-cbc | PBKDF2 hmac-sha256, iteration=1024, salt=specified |
cipherText | The symmetric key is the string "PASSWORD" converted into bytes. |

DRV.3 | clearText | secret.concat.kdf | aes256-cbc | ConcatKDF SHA256 |
cipherText | The symmetric key and plaintext are specified as binary files. |

DRV.4 | clearText | PASSWORD | aes256-cbc | PBKDF2 hmac-sha256, iteration=4096, salt=specified |
cipherText | The symmetric key is the string "PASSWORD" converted into bytes. |

Note
- `ReferenceList`

, `DerivedKeyName`

and `MasterKeyName`

schema items were not used in
these tests. Use of `DerivedKey`

with
`RetrievalMethod`

was also not tested.

- Add
*required*Elliptic Curve Diffie-Hellman (Ephemeral-Static mode) - Add
*optional*Diffie-Hellman Key Agreement (Ephemeral-Static mode) with explicit Key Derivation Functions

Key Agreement Algorithm | Microsoft | Oracle |
---|---|---|

Elliptic Curve Diffie-Hellman (Ephemeral-Static mode) | Y | Y |

Diffie-Hellman Key Agreement (Ephemeral-Static mode) | Y | Y |

In these tests the

- At first the content is encrypted by a random symmetric key .

The`KeyInfo`

of the content's`EncryptedData`

has`EncryptedKey`

. - Then this symmetric key is wrapped by a second symmetric key that is derived from the key agreement.

The`KeyInfo`

of first symmetric key's`EncryptedKey`

has`AgreementMethod`

. - Key agreement is based on one sender's ephemeral key and receiver's static key.

The`OriginatorKeyInfo`

of`AgreementMethod`

has a temporary generated key indicated by`KeyValue`

.

The`RecipientKeyInfo`

of`AgreementMethod`

has`X509Data`

which is the receiver's public key.

# | Encryption Parameters | CipherText | Remarks | |||||
---|---|---|---|---|---|---|---|---|

Plaintext | Asymmetric Key Pvt key file and password |
Content encryption algorithm |
Key Wrapping algorithm |
Key Agreement algorithm |
Key Derivation algorithm |
|||

AGRMNT.1 | plaintext.xml | EC-P256 pvtKey "passwd" |
aes128-gcm | kw-aes128 | ECDH-ES | ConcatKDF SHA256 |
cipherText | In the first three examples the key wrapping algorithm size matches the symmetric algorithm key size. This is not required, the AES key wrapping algorithms can encrypt any data that is a multiple of 64 bits. |

AGRMNT.2 | plaintext.xml | EC-P384 pvtKey "passwd" |
aes192-gcm | kw-aes192 | ECDH-ES | ConcatKDF SHA384 |
cipherText | |

AGRMNT.3 | plaintext.xml | EC-P521 pvtKey "passwd" |
aes256-gcm | kw-aes256 | ECDH-ES | ConcatKDF SHA512 |
cipherText | |

AGRMNT.4 | d9313225f88406e5 a55909c5aff5269a | EC-P256 pvtKey "1234" |
aes128-gcm | kw-aes128 | ECDH-ES | ConcatKDF SHA256 |
cipherText | These three examples are very similar to the previous three, except that they encrypt binary data. The binary data is specified in the left column as a hex string. |

AGRMNT.5 | d9313225f88406e5 a55909c5aff5269a | EC-P384 pvtKey "1234" |
aes192-gcm | kw-aes192 | ECDH-ES | ConcatKDF SHA384 |
cipherText | |

AGRMNT.6 | d9313225f88406e5 a55909c5aff5269a | EC-P521 pvtKey "1234" |
aes256-gcm | kw-aes256 | ECDH-ES | ConcatKDF SHA512 |
cipherText | |

AGRMNT.7 | plaintext.xml | DH-1024 pvtKey "passwd" |
aes128-gcm | kw-aes128 | dh-es | ConcatKDF SHA256 |
cipherText | This example encrypts with a Diffie Hellman key with the new algorithm `#dh-es` in which the
key derivation function is explicitly specified. |

AGRMNT.8 | d9313225f88406e5 a55909c5aff5269a | DH-2048 pvtKey in CNG blob format |
aes256-gcm | kw-aes256 | dh-es | ConcatKDF SHA256 |
cipherText | This example also uses the new algorithm `#dh-es` |

AGRMNT.9 | plaintext.xml | EC-P256 pvtKey "passwd" |
aes128-gcm | kw-aes256 | ECDH-ES | PBKDF2 hmac-sha256, iteration=2000, salt=specified |
cipherText | This example uses EC keys, but not the ConcatKDF key derivation function. Instead it uses the PBKDF2 key derivation. Also notice that the encryption algorithm and key wrapping algorithm have different key lengths - 128 and 256 respectively . The PBKDF2 parameters specifies a key length of 32 to match the wrapping algorithm key length. |

AGRMNT.10 | plaintext.xml | DH-1024 pvtKey "passwd" |
aes128-gcm | kw-aes128 | dh-es | PBKDF2 hmac-sha256, iteration=2000, salt=specified |
cipherText | This example encrypts with a Diffie Hellman key with PBKDF2 key derivation |

- Add AES-128-GCM Block Encryption Algorithm as
*required* - Add AES-256-GCM Block Encryption Algorithm as
*optional*

Block Encryption Algorithm | Apache Santuario (C++) | Oracle | Microsoft |
---|---|---|---|

AES-128-GCM | U | Y | Y |

AES-192-GCM | Y | Y | U |

AES-256-GCM | Y | Y | U |

`<KeyInfo>`

The tests in section 6. RSA-OAEP Key Transport were used to interop test these block encryption algorithms.

In addition, the following test was also used. In this test the content is encrypted by the specified symmetric key:

# | Encryption Parameters | CipherText | Remarks | ||
---|---|---|---|---|---|

Plaintext | Symmetric Key | Content encryption algorithm |
|||

SYM.1 | d9313225f88406e5 a55909c5aff5269a |
feffe9928665731c 6d6a8f9467308308 |
aes128-gcm | cipherText | The plain text and the keys are specified as hex strings. |

- Add
`SHA-384`

Message Digest as*optional*

This algorithm was tested as part of XML Signature 1.1 SHA interop testing [XMLDSIG-CORE1-INTEROP].

- Enabled
`RSA-OAEP`

Key Transport to be used with arbitrary mask generation functions (e.g.`SHA2`

based) by defining an additional`RSA-OAEP`

`URI`

and significantly revising specification text. Add definition of new`xenc11:MGF`

element.

RSA-OAEP with specified MGF Function | Apache Santuario (C++) | Oracle |
---|---|---|

RSA-OAEP with SHA-1 | Y | Y |

- At first the content is encrypted by a random symmetric key .

The`KeyInfo`

of the contents's`EncryptedData`

has an`EncryptedKey`

. - Then this symmetric key is wrapped by an public key.

The`KeyInfo`

of this`EncryptedKey`

has`X509Data`

of the public key.

# | Encryption Parameters | CipherText | Remarks | |||
---|---|---|---|---|---|---|

Plaintext | Asymmetric Key Pvt key file and password |
Content encryption algorithm |
Key encryption algorithm |
|||

WRAP.1 | plaintext.xml | RSA-2048 pvtKey "passwd" |
aes128-gcm | rsa-oaep-mgf1p Digest:SHA256, MGF:SHA1 PSource: None |
cipherText | All the examples in this table use the new AES-GCM algorithm. |

WRAP.2 | plaintext.xml | RSA-3072 pvtKey "passwd" |
aes192-gcm | rsa-oaep-mgf1p Digest:SHA256, MGF:SHA1 PSource: None |
cipherText | In this example the OAEP digest method is specified as SHA256. The MFG algorithm is SHA1. |

WRAP.3 | plaintext.xml | RSA-3072 pvtKey "passwd" |
aes256-gcm | rsa-oaep Digest:SHA384, MGF:SHA1 PSource: None |
cipherText | This example uses the new `#rsa-oaep` algorithm that takes in explicit `MGF`
algorithm. The MGF has been specified as SHA1. |

WRAP.4 | plaintext.xml | RSA-4096 pvtKey "passwd" |
aes256-gcm | rsa-oaep Digest:SHA512, MGF:SHA1 PSource: Specified 8 bytes |
cipherText | This also uses `#rsa-oaep` but has a 8 byte PSource explicitly defined . |

The following algorithms were added in XML Encryption 1.1 but were not included in this round of interop testing as they have been previously tested during the development of the corresponding W3C Recommendation:

- Add Canonical XML 1.1 (omit comments) as
*optional*. Tested with development of [XML-C14N11]. - Add Canonical XML 1.1 with comments as
*optional*. Tested with development of [XML-C14N11].

- [XML-C14N11]
- John Boyer, Glenn Marcy. Canonical XML Version 1.1. 2 May 2008. W3C Recommendation. URL: http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/
- [XMLDSIG-CORE1-INTEROP]
- Frederick Hirsch XML Signature 1.1 Interop Test Report. 23 July 2012. W3C Editors Draft. (Work in progress.) URL: http://www.w3.org/2008/xmlsec/Drafts/xmldsig-core1-interop/Overview.src.html
- [XMLENC-CORE1]
- J. Reagle; D. Eastlake; F. Hirsch; T. Roessler. XML Encryption Syntax and Processing Version 1.1. 18 October 2012. W3C Last Call Working Draft. (Work in progress) URL: http://www.w3.org/TR/2012/WD-xmlenc-core1-20121018/
- [XMLENC-CORE1-CHGS]
- Frederick Hirsch. Functional Explanation of in XML Encryption 1.1. 18 October 2012. W3C Working Group Note. URL: http://www.w3.org/TR/2012/NOTE-xmlenc-core1-explain-20121018/