XML Encryption Draft Requirements

Draft 2000-January-23

This version:
http://www.w3.org/Encryption/2001/01/23-xml-encryption-req.html
Latest version:
...
Previous version:
...
Editor(s):
Joseph Reagle <reagle@w3.org>
...

Copyright  2001 The Internet Society & W3C (MIT, INRIA, Keio), All Rights Reserved. W3C liability, trademark, document use and software licensing rules apply.

Status of this Document

This is draft intended to capture and focus discussion prior to the 01 March 2001 face-to-face meething. This document has no standing whatsoever.

This document does not represent consensus. Instead, it is the author's attempt to show requirements and alternatives within the scope already out-line in the ongoing discussions. Furthermore, it may include things that are not well stated, as well as provocative or contrary positions (or alternative wordings) in order to elicit review and discussion. It's roughly based on the authors understanding of {prop1}, {prop2}, {prop3}, {C2000}, {WS},  and other discussion and proposals, though my characterizations may be in error. Positions which are potentially in conflict are specified as a list of lettered points. For example:

  1. Extensibility
    1. Position
    2. Alternative/Contrary Position

Some alternatives are stricken to represent that a newer proposal was considered or consensus seems counter to that proposal, but I'm not yet confident enough (or things can be learned) by not yet deleting it from the document.

Citation of a source (e.g., {source}) in no way indicates that is the originator or sole supporter of that requirement. Instead, it helps track at least one source/motivation of the requirement.

Please send comments to the editor <reagle@w3.org> and cc: the list  xml-encryption@w3.org (archives) Publication of this document does not imply endorsement by the W3C membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time.


 

Abstract

This document lists the design principles, scope, and requirements for the XML Encryption. It includes requirements as they relate to the encryption syntax, data model, format, cryptographic processing, and external requirements and coordination.

Table of Contents

  1. Introduction
  2. Design Principles and Scope
  3. Requirements
    1. Encryption Data Model and Syntax
    2. Objects
    3. Processing
    4. Algorithms and Structures
    5. Security
    6. Misc.
    7. Coordination
    8. Intellectual Property
  4. References

1. Introduction

The XML 1.0 Recommendation [XML] describes the syntax of a class of data objects called XML documents. There is interest in a specification of XML syntax and processing for encrypting digital content, including portions of  XML documents and protocol messages. This documents provides requirements for such an activity -- as well as provocation and alternative requirements.

2. Design Principles and Scope

This section describes requirements over intended result, how these motivations are realized are addressed in subsequent sections.

  1. The XML Encryption specification will describe how to use XML to represent a digitally encrypted Web resource (including XML itself). {prop1,prop2}
    1. The specification must provide for the encryption a part or totality of an XML document
      1. Granularity of encryption includes any Information Set Item. {List: Reagle}[No one strongly advocated this position]
      2. Granularity is limited to the node-set specified by a user specified XPath expression {List: Huck}(There opposing requirements that XPath not be required for XML Encryption.)
      3. Granularity of encryption also includes attribute values. {prop1, WS}[Workshop participants were split on this issue]
      4. Granularity of encryption is limited to an element (including start/end tags) or element content (between the start/end tags). {prop2, WS}Otherwise, sensitive attribute values are secured by:
        1. transforming the original document into a element based vesion. {List: Hallam-Baker} (However, requiring applications to do this in a "non-standard" way is costly, {List: Simon} and can make the data useless to intermediate processors which is counter to othe purpose of partial encryption. {List: Reagle}
        2. ...?
    2. The specification must enable the encrypted data to reside in an external object: the encryption information is detached from the thing encrypted. {prop2}
    3. The specification must provide for recursive encryption (capable of encrypting XML with portions already encrypted). {prop1,prop2}
    4. The specification must provide for the separation of encryption information from encrypted data, and support reference mechanisms for addressing encryption information from encrypted data sections. {HP: R3.7}

  2. The specification should strive to limit optionality and maximize extensibility such that all of the specification can be quickly implemented
  3. The specification must addresses security concerns arising from the design and its implementation.
  4. The mechanisms of encryption must be simple: describe how to encrypt/decrypt digital content, XML documents, and portions thereof. {Reagle}
    1. Only enough information necessary for decryption need be provided. {Reagle}
    2. The specification will not address the confidence or trust applications place in the provision of a key
    3. The specification will not address authentication. {List: Reagle, WS}
    4. The specification will not address authorization and access control. {List: Reagle, Simon, Kudoh, WS}
  5. If the working group addresses an Information Set representation or canonicalization, it must use pre-existing data models (e.g., Information Set) and canonicalization methods (e.g., Canonical XML) unless it can explicitly justify the need for a new one. {Reagle}
  6. The specification will define a minimal set of algorithms and key structures necessary for interoperability purposes. {Reagle}
  7. Whenever possible, any resource or algorithm is a first class object, and identified by a URI. {prop1,prop2}

3. Requirements

1. Encryption Data Model and Syntax

  1. The XML data model used by XML Encryption in identifying or representing data that has been processed will be predicated on:
    1. a simple enumerated subset of InfoSet items and properties {e.g., element, character, attribute, attribute normalized-value, etc.)  {WS}
    2. XPath {List: Huck}
    3. the RDFS schema within the Information Set specification [Infoset] {Reagle}
    4. [XSet] {Reagle}
    5. DOM node lists {prop3}
  2. XML Encryption can be applied to any Web resource -- including non-XML content. {prop1,prop2} Also, see Requirements: Objects.
    1. XML Encryption should be able to work with streaming media. {List: Simon}(Does this necessitate detached encryption? -JR)
    2. A non-XML object when encrypted is encoded in an instance of XML; when decrypted it must revert to its original media type. {TimBL}
  3. Encrypted objects are first class objects themselves and consequently can be referenced, encrypted, and signed. {Reagle}

2. Objects

  1. The specification may provide for encrypted representations of non XML data (e.g., MIME-objects).
    1. The specification must define an analog of xmldsig:Object that provides an encoding and type description for the encoded object. {Reagle:xmldsig}
    2. The specification must not define any representation formats. {HP: R2.2, List: Huck}
  2. Binary data may be represented as
    1. Base64 encoding only. {Reagle:xmldsig}
    2. XML Schema 'base64' and 'hex' only.  {HP: R3.5.2, List: Huck}
  3. Should we provide a packaging format to describe that multiple encrypted objects are related (e.g., different encodings of the same document? {prop3: open issue 2}

3. Processing

  1. Implementation/Design Philosophy
    1. Parser  {WS}
      1. XML Encryption applications must be XML-namespaces [XML-namespaces] aware.
      2. XML Encryption applications must be XML Schema [XML-schema] aware in that they create XMl encryption instances conforming to the schema definition. {Reagle}
      3. Implementation of the specification should have a minimal affect upon XML parser and schema implementations. While {WS:Simon} demonstrated that XML-encryption functionality did not necessarily require any changes to particular DOM and XML parser implementations, it may be necessary for implementors to tweak their parsers as needed.
    2. XML Instance Validity {WS}
      1. Encrypted instances must be well-formed but need not be valid (i.e. applications that encrypt the element structure are purposefully hiding that structure.)
      2. Instance authors that want to validate encrypted instances must do one of the follow:
        1. Write the original schema so as to validate resulting instances given the change in its structure and inclusion of element types from the XML Encryption namespace.
        2. Provide a post-encryption schema for validating encrypted instances.
        3. Only encrypt PCDATA text of element content and place DecryptionInfo and KeyInfo in an external document. (This requires granular detached/external encryption.)
  2. The processing model should be based on:
    1. Application specific logic {List: Ferguson}
    2. XSLT  {List: Ferguson}
    3. XPath {MyProof}
    4. XLink {List: Maruyama}
  3. The referencing model (how to identify the things being encrypted) will be based on:
    1. URIs or ID fragments
    2. URI+IDs (These then have to be expressed as an  XPointer unless there are transforms.)
    3. XPath expressions (These then have to be expressed as an XPointer unless there are transforms.)
    4. XLink (provides bi-directional) {WS: not desired in poll}
  4. The encryption and XML processing should be
    1. Fast {List: Ferguson}
    2. Memory efficient {List: Ferguson}
    3. Work with tree and event based parsers {List: Ferguson}
  5. Transforms  {WS}
    1. Encryption Transforms
      1. The specification must enable the specification of additional transforms as part of encryption processing using a method similar to that of XML Signature (However in encryption they are applied in reverse order {List: Huck}). This would enable user specified transforms such as compression, canonicalization, advanced padding and signature processing. {HP: R3.4.1, List: Huck}
        1. A compression transform should be defined or referenced.
        2. Canonicalization? (Canonical XML is XML, but can be verbose.)
        3. If we decide against attribute encryption, then one could use an XSLT transform to convert from the original document into one an instance where everything is captured as a element+content. {Reagle, List: Hallam-Baker}
      2. The specification must not enable the specification of additional transforms; transforms must be done by the application and represented in their own syntax (e.g., compression is done by compressing content and rapping that data in an XML compression syntax.)
  6. Encryption and Signatures
    1. The specification must address how to use XML Signature with XML Encryption such that multiple parties may selectively encrypt and sign portions of documents that might already be signed and encrypted.
      1. The order of encryption and decryption is an application issue and out of scope. {List: Ashwood, Hirsch}
      2. When data is encrypted, so is its Signature; consequently those Signature you can see can be validated. (However, this doesn't work with some cases of detached Signatures.){List: Finney}
      3. Capture the order of processing:
        1. When data is encrypted, the ID value that used to correspond to the content and was referred to by a Signature, is now given to the ID of the Encryption content. Processors first try to signature validate the encrypted element, if that fails they then try to decrypt it. {List: Hirsch} (This only works when the signature/encryption is of the same granularity, what happens if you want to encrypt children of the element signed? {List: Reagle})
        2. A separate XML structure contains a stack of processing (signing/encrypting) steps; you can't insert this as attributes directly.into the XML as it would then break signatures. {List: Hallam-Baker/Reagle}
        3. For attached signatures, create nesting elements such as <exposedSignature>, <hiddenSignature>, <signThenEncrypt>, <encryptThenSign> {List: Ashwood}
      4. During signature validation, only decrypt those portions specified by a decyrption signature transform. (However, this makes subsequent encryption difficult; plus leaving the signature in the clear if the signed data is encrypted allows plaintext guessing attacks.) {List: Reagle}
      5. During signature validation, decrypt all portions except those with a <xenc:NoDecrypt> element within <dsig:SignatureProperty>. (This is an odd change to Signature Transform semantics; plus leaving the signature in the clear if the signed data is encrypted allows plaintext guessing attacks.)  {List: Maruyama}
      6. During signature transform processing, if you encounter a decrypt transform, decrypt all encrypted content in the document except for those excepted by its EncryptedReference child element. {List: Maruyama} (Solves earlier encryption, detached and semantic concerns, but leaves digest values in the clear (these two should be encrypted. Also, problem of "3.b Problem of "Alice Encrypts element A and the Signature over the parent of A. Bob Encrypts element B (sibling of A) but *not* the Signature since he doesn't know about it. Alice then decrypts A and it's Signature, providing information to a subsequent plain text attack." {List: Reagle})
    2. Signature order (which is more secure?)
      1. sign before you encrypt and encrypt signature.{List: Finney} (This can be problematic as, "the only way to achieve secure channels is to encrypt first, then MAC. Though signature is different from MAC, but we should keep in mind that digital signature is an extension of MAC."  {List: Wang})
      2. encrypt before you sign. {List: Wang} (This can be problematic as, "it was shown that by choosing your RSA key pair, and keeping the factors of N, you could create many different statements easily, with very real possibilities for fraud. {List: Ashwood}).

4. Algorithms and Structures

  1. The solution must work with arbitrary encryption algorithms, including symmetric and asymmetric keys schemes as well as dynamic negotiation of keying material. {prop1,prop2}
  2. The specification must specify or reference one mandatory to implement algorithm for only the most common application scenarios. (All options result from Schaad's Algorithm Selections recommendations unless noted.)
    1. Stream Encryption Algorithms
      1. none
      2. RC4 is optional.
    2. Block Encryption Algorithms
      1. AES with CMS keylength is required to implement
      2. AES at other keylengths is optional to implement.
      3. TripleDES is optional to implement.
      4. IDEA as optional to implement {List: Priewe}
    3. Chaining Modes
      1. CBC (Cipher Block Chaining) with PKCS#5 padding is optional to implement.
      2. CTS (Cipher Text Stealing).
    4. Key Transport
      1. RSA-OEAP used with AES is required to implement.
      2. RSA-v1.5 used with TripleDES is optional to implement.
      3. ECIES {List: Blake-Wilson}
    5. Key Agreement
      1. none
      2. Diffie-Hellman is optional to implement
      3. ECDH {List: Blake-Wilson}
    6. Symmetric Key Wrap
      1. CMS-KeyWrap is required for wrapping Triple-DES and RC2 keys
      2. AES KeyWrap from the NSA is mandatory -- when its completely specified.
    7. Message Authentication
      1. XML Signature is optional to implement
    8. Canonicalization
      1. none
      2. Canonical XML is required to implement.
    9. Compression
      1. none
      2. A method for XML redunancy removal should be optional (and should be free of encumbering IP claims) {List: Huck}
    10. Password Derivation Algorith
      1. none
  3. Key Structures
    1. Scope
      1. The only defined key structures will be those required by the mandatory algorithms. {Reagle}
    2. Should we support encryption of keying material to multiple recipients within a single EncryptedKey element? {prop3: open issue 1}
    3. Semantics {prop3: open issue 4}
      1. EncryptedData may contain EncryptedKey and/or KeyInfo child elements.  The EncryptedKey element may also contain a KeyInfo child element. (This might be considered complex). {prop3}
      2. EnryptedKey element is a child of a KeyInfo element, which might also include KeyInfo. (This allows unbounded nesting.)  {prop3}
    4. Definition
      1. Can dsig:KeyInfo be incoporparated directly into the encryption instance? (Which element is  root, do we use schema class extention or open content models?) {List: Reagle}

5. Security

  1. The specification must address security issues arising where the following occur: (does this necessitate padding? {prop3: issue 5}
    1. An attacker may know the original structure of the plain-text via its schema. {List: Wiley}
    2. An attacker may know the length and redundancy of the plain-text data. {List: Finney}
    3. An attacker may have access to an oracle which encrypts attacker chosen plain-text repeatedly. {Reagle}
  2. The specification should support the use of hardware implementation of the encryption processing (which is specified as part of the algorithm identifier). {List: Lambert}
  3. Integrity of Encrypted Data
    1. "The specification must provide mechanisms to check the integrity of decrypted data. Mandatory to implement algorithms should include integrity check mechanisms." {List: Lambert}
    2. "Given the history I think that authentication and encryption in one operation needs to be considered as a separate algorithm rather than supporting mix 'n match schemes. Most authentication with encryption schemes will fail with RC4 and similarly constructed ciphers." {List: Hallam-Baker}

6. Misc

  1. Should we define a structure that sits outside an EncryptedData by which you assert "this key was used to encrypt the following Referents. {prop3: open issue 3}
  2. @@Where did we stand on the issue of email headers encryptor/recipient?

7. Coordination

The XML Encryption specification should meet the requirements of (so as to support) or work with the following applications:

To ensure the above requirements are adequately addressed, the XML Encryption specification must be reviewed by a designated member of the following communities:

8 Intellectual Property

  1. The specification should be free of encumbering technologies: requiring no licensing fees for implementation and use. {List: Ferguson}

    "Members of the XML Encryption Working Group and any other Working Group constituted within the XML Encryption Activity are expected to disclose any intellectual property they have in this area. Any intellectual property essential to implement specifications produced by this Activity must be at least available for licensing on a royalty-free basis. At the suggestion of the Working Group, and at the discretion of the Director of W3C, technologies may be accepted if they are licensed on reasonable, non-discriminatory terms." XML Encryption Charter.

4. References

C2000
Crypto 2000 XML Encryption BoF [minutes]. Santa Barbara. August 24 .
DOM
Document Object Model Core, Level 3. Arnaud Le Hors. W3C Working Draft.
http://www.w3.org/TR/DOM-Level-3-Core/core.html
HP
Requirements and Goals for the Design of an 'XML Encryption Standard'. Gerald Huck and Arne Priewe. November 2000.
InfoSet
XML Information Set, W3C Working Draft. John Cowan.
http://www.w3.org/TR/xml-infoset.
List
XML Encryption List (an unmoderated and unchartered public list).
MyProof
MyProof Position Paper On XML Encryption
prop1
XML Encryption strawman proposal. Ed Simon and Brian LaMacchia. Aug 09 2000.
prop2
Another proposal of XML Encryption. Takeshi Imamura. Aug 14 2000.
prop3
XML Encryption Syntax and Processing. Dillaway, Fox, Imamura, LaMacchia, Maruyama, Schaad, Simon. December 2000.
WS
W3C XML Encryption Workshop [minutes]. SanFrancisco. November 2, 2000.
XML
Extensible Markup Language (XML) 1.0 Recommendation. T. Bray, J. Paoli, C. M. Sperberg-McQueen. February 1998.
http://www.w3.org/TR/1998/REC-xml-19980210
XML-C14N
Canonical XML. Working Draft. J. Boyer. January 2001.
http://www.w3.org/TR/2001/PR-xml-c14n-20010119
XML-ns
Namespaces in XML Recommendation. T. Bray, D. Hollander, A. Layman. January 1999.
http://www.w3.org/TR/1999/REC-xml-names-19990114
XML-schema
XML Schema Part 1: Structures Working Draft. D. Beech, M. Maloney, N. Mendelshohn. October 2000.
http://www.w3.org/TR/2000/CR-xmlschema-1-20001024/
XML Schema Part 2: Datatypes Working Draft. P. Biron, A. Malhotra. October 2000.
http://www.w3.org/TR/2000/CR-xmlschema-2-20001024/
XMLDSIG
XML-Signature Syntax and Processing. Working Draft. D. Eastlake, J. Reagle, and D. Solo.
http://www.w3.org/TR/2000/CR-xmldsig-core-20001031/
XSet
Full Fidelity Information Set Representation. Jonathan Borden. XML-Dev
http://lists.xml.org/archives/xml-dev/200008/msg00239.html
URI
RFC2396. Uniform Resource Identifiers (URI): Generic Syntax. T. Berners-Lee, R. Fielding, L. Masinter. August 1998
http://www.ietf.org/rfc/rfc2396.txt