XML-Encryption and End-to-End Security

Mike Wray

mike_wray@hp.com Internet Security and Solutions Division

Hewlett-Packard   

E-speak security

•Authorization: SPKI certificates

–attribute and name certificates

–principals are public keys or key hashes

•Message security: SLS

– Session Layer Security protocol

SLS – Session Layer Security protocol

•provides end-to-end security

•transport independent

•supports secure relays

•allows address rewriting

•algorithms:

–elliptic curve DH

–Blowfish, 3DES, RC4, …

–HMAC-SHA1

SLS session

•Handshake sets up:

–session id (SPI)

–shared secret

–ciphersuite

–encryption and MAC keys for each direction

•Handshake may also include requirements (attributes) to be proved by each party

–proof is a set of certificates

–handshake fails if not proved

SLS Handshake with a relay

[graphic]

Requirements on XML-Encryption

•support encryption info identified by SPI

–keys vary for encryption, MAC and direction

–spi and sequence number included

•support MAC

•support literal RSA keys directly, no name

•support key hashes

•key naming to support parameters

Comments on XML-Encryption

•document integrity

–prevent substitution of encrypted items

–prevent tampering with encryption info

•encrypted item integrity

–prevent tampering with ciphertext

–suggest encryption should use MAC by default

•encrypted XML potentially vulnerable to low entropy attacks?

–support randomized encryption modes

Comments on XML-Encryption (2)

•should require AES be supported

•sender or recipient name may be an exposure

–support literal keys (and hashes)

–application-defined ids

•ensure no reliance on unauthenticated data

•consistency with XML-Signature KeyInfo