Signature/Encryption Interdependency
- Problem Statement (David Solo)
- Which <EncryptedData> needs to be decrypted before
signature verification?
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
:
<ds:Reference URI="#order" />
</ds:Signature>
:
<Order Id="order">
:
<xenc:EncryptedData> ... </xenc:EncryptedData> (encrypted BEFORE signing)
<xenc:EncryptedData> ... </xenc:EncryptedData> (encrypted AFTER signing)
<xenc:EncryptedData> ... </xenc:EncryptedData>
:
</Order>
Proposed Solutions - 1
- Application always knows the order
- Works for closed systems only
- Try every combination of decryption until some veryfication
succeeds or all verifications fail
- Too expensive computationally
Proposed Solutions - 2
- Decrypt Transform (Ed Simon)
-
- The signer must know which part(s) will be encrypted BEFORE
signing
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
:
<ds:Transform Algorithm="http://www.w3.org/2000/10/xmlenc#decrypt"> <xenc:Reference URI="#encData2"/>
<xenc:Reference URI="#encData3"/>
</ds:Transform>
</ds:Signature>
:
<Order Id="order">
:
<xenc:EncryptedData id="encData1"> ... </xenc:EncryptedData>
<xenc:EncryptedData id="encData2"> ... </xenc:EncryptedData>
<xenc:EncryptedData id="encData3"> ... </xenc:EncryptedData>
:
</Order>
Proposed Solutions - 3
- NoDecrypt Transform (Jim Schaad)
- The signature verifier must be encryption-aware ("default
decrypt")
- Unclear when to decrypt in the transform sequence
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
:
<ds:Transform Algorithm="http://www.w3.org/2000/10/xmlenc#noDecrypt"> <xenc:EncryptedReference URI="#encData1"/>
</ds:Transform>
</ds:Signature>
:
<Order Id="order">
:
<xenc:EncryptedData id="encData1"> ... </xenc:EncryptedData>
<xenc:EncryptedData id="encData2"> ... </xenc:EncryptedData>
<xenc:EncryptedData id="encData3"> ... </xenc:EncryptedData>
:
</Order>
Our Proposal
- Decrypt-But Transform
-
- The verifier semantics stays unchanged
- Explicitly specify decrypt in the transform sequence (e.g.,
before XPath)
- Closed application does not need to use this
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
:
<ds:Transform Algorithm="http://www.w3.org/2000/10/xmlenc#decrypt"> <xenc:EncryptedReference URI="#encData1"/>
</ds:Transform>
</ds:Signature>
:
<Order Id="order">
:
<xenc:EncryptedData id="encData1"> ... </xenc:EncryptedData>
<xenc:EncryptedData id="encData2"> ... </xenc:EncryptedData>
<xenc:EncryptedData id="encData3"> ... </xenc:EncryptedData>
:
</Order>
Discussions
- Node-set as both input and output
-
- Serialized into an octet stream in order to apply XML
Encryption ... This needs to be InfoSet-preserving!
- If the octet stream is not well-formed (e.g., list of
elements), wrap it with <Dummy>...</Dummy>
-
- XML Community needs a clear concept of "Parsing a Node-Set
in a Context"
- One decryption at a time
-
- NonDecrypt URIs are evaluated each time decryption is done,
because decryption result may contain nested EncryptedData
- Applications should be aware that plaintext guessing attacks
may be possible if
-
- Digest value is not protected properly, AND
- Entropy of digested data is small
Parse a Node-Set In Context
- Parse as if it is an external entity
- e.g., wrap it with <Dummy> ... </Dummy>
- "Context" includes
- Namespace delcarations in ancestor
- Character encoding
- DTD information
-
- External entity
- Default attributes
- ID attributes
- Attribute types (e.g., NMTOKEN is normalized)
- Data types and constraints if schema is in use