Introduction
We have three methods to encrypt xml.
1. Only use symmetric encryption to encrypt xml
This encryption method only uses one key, that is, both xml encryption and xml decryption use the same key. Because this key will not be saved in the encrypted xml, We need to load this key during encryption and decryption and protect it from being stolen.
2. Use symmetric encryption and asymmetric encryption to encrypt xml
This method requires a symmetric key for data encryption and an asymmetric key for protecting this symmetric key. The encrypted symmetric key and encrypted data are stored in the xml document. When using a private asymmetric key to decrypt a key, use a public asymmetric key to encrypt the key.
This method will be used in this article. For more information, see MSDN.
(Note: asymmetric encryption algorithms require two keys: public key and private key ). A public key is a pair of private keys. If a public key is used to encrypt data, only the corresponding private key can be used for decryption. If a private key is used to encrypt data, only the corresponding public key can be decrypted. Because encryption and decryption use two different keys, this algorithm is called asymmetric encryption algorithm .)
3. Use X.509 to encrypt xmlThis method uses X.509 as an asymmetric key, which is provided by a third party such as VeriSign.
Method
No matter how xml encryption is completed, it is always one of two ways to save encrypted data.
1. All elements after encryption are named <EncryptedData>
2. After encryption, only the data is replaced, and the element name is still readable and will not change.
This subtle change is very important. For example:
If your xml document contains a root element called <employee>, this root element contains a sub-element named <WrittenWarning> that stores a piece of details. If you send this xml and want to <WrittenWarning> This element to be protected, <WrittenWarning> will be replaced with <EncryptedData> if you use the method in 1st, you will not obtain any readable information from the encrypted document.
If you use the 2nd methods, the <WrittenWarning> element is retained and only data is encrypted. Anyone who obtains this document does not know the details under this element, but still knows that something happened to this employee. In addition, all attributes of the <WrittenWarning> element are not encrypted.
Therefore, if there are no special requirements, we generally use 1st methods. In. net 2.0, you can modify the attribute of a Boolean value to easily select which method to use.
Example of xml Encryption
The following xml encryption example uses the non-symmetric encryption method to encrypt the content under the author element of the xml document and replace the author element with <EncryptedData>.
XML document:
<? Xml version = "1.0" standalone = "no"?> <Article> <Articleinfo> <Title> XPath Queries on XmlDocument objects in. NET 1.1 </title> <Abstract> <Para> This article covers the basics. </para> </Abstract> <Author> <Honorific> Mr. <Firstname> George </firstname> <Surname> James </surname> <Email> gjames@doman.com </email> </Author> </Articleinfo> </Article> |
The XPath expression is/article/articleinfo/author.
Encrypted xml document:
<? Xml version = "1.0" standalone = "no"?> <Article> <Articleinfo> <Title> XPath Queries on XmlDocument objects in. NET 1.1 </title> <Abstract> <Para> This article covers the basics. </para> <Para> This article does not cover. </para> </Abstract> <EncryptedData Type = "http://www.w3.org/2001/04/xmlenc#Element" Xmlns = "http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#"> <EncryptedKey xmlns = "http://www.w3.org/2001/04/xmlenc#"> <EncryptionMethod Algorithm = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <KeyInfo xmlns = "http://www.w3.org/2000/09/xmldsig#"> <KeyName> session </KeyName> </KeyInfo> <CipherData> <CipherValue> r4f7SI1aZKSvibb... </CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue> sGNhKqcSovipJdOFCFKYEEMRFd... </CipherValue> </CipherData> </EncryptedData> </Articleinfo> </Article> |
The author element and its child elements will be replaced by <EncryptedData>, and other elements, such as encryption algorithms and keys, will also be included.
<EncryptedData> element
Take a closer look at the tree structure of the <EncryptedData> element, and you will find that the <EncryptedData> element is divided into many sub-elements. The <KeyInfo> element is the same as the <KeyInfo> element in the xml digital signature.
The EncryptedData element is included in the "http://www.w3.org/2001/04/xmlenc?#namespace. It is the root element of the encrypted data.
The EncryptionMethod element specifies the symmetric method for data encryption. To do this, you need to use an algorithm attribute that contains the w3 url-"http://www.w3.org/2001/04/xmlenc?aes256-cbc=, which indicates that the data is encrypted using AES (Rijndael) with a 256k key.
The KeyInfo element comes from an xml digital signature, which stores information about symmetric keys. In addition, this element can save more information.
The EncryptedKey element and its sub-element package under the KeyInfo element contain information about the saved key.
The EncryptionMethod element in KeyInfo contains asymmetric encryption methods used to encrypt symmetric keys. To do this, you need to set an algorithm attribute to the w3 url. For example.
The KeyName element is an identifier used to discover a key. You will find its importance later in programming.
The CipherData and CipherValue elements appear under the EncryptedKey and EncryptedData elements, which contain password data. In fact, the password data is stored under the CipherValue element. The encryption key is saved under the EncryptedKey element, and the CipherValue under the EncryptedData element stores the encrypted data.
Asymmetric xml encryption steps
The xml encryption process can be summarized into the following five steps:
1. Select an element in the xml document (the entire document will be encrypted if the root element is selected)
2. Use a symmetric key to encrypt Elements
3. Use asymmetric encryption to encrypt the above symmetric key (using a public key)
4. Create an EncryptedData element that contains the encrypted data and the Encrypted Key.
5. Replace the initial element with the encrypted element.
Most of these steps can be automatically completed using classes in. net 2.0.
Asymmetric xml decryption steps
The xml decryption process can be summarized into the following four steps:
1. Select an EncryptedData element in the xml document.
2. Use an asymmetric key to decrypt the key (using a private key)
3. Use unencrypted keys to decrypt data
4. Replace the EncryptedData element with the unencrypted element.
Most of these steps can be automatically completed using classes in. net 2.0.
Namespace
To complete xml encryption, we need to introduce three namespaces.
System. Xml-class containing xml operations
System. Security. Cryptography-class containing the generated encryption key
System. Security. Cryptography. Xml-Contains classes for completing encryption tasks
Use. net to encrypt xml
This article provides a simple xml encryption and decryption application. Let's take a look at the relevant code. This example only has some basic functions. You can add additional functions such as node selection.
First, load the asymmetric public key to encrypt the key.
// Create an asymmetric key for encryption. RSACryptoServiceProvider rsa = new RSACryptoServiceProvider (); // Load a Public Key XmlDocument pubKeys = new XmlDocument (); PubKeys. Load (Application. StartupPath + "\ xml. dev. keys. public "); // Use a public key to encrypt the key Rsa. FromXmlString (pubKeys. OuterXml ); |
Next, load the xml document and select a node to be encrypted. The following code demonstrates how to use an XPath expression to select a node. If no node is selected, the entire xml file is encrypted.
// Xml document This. xmlEncDoc = new XmlDocument ();
// Load some nodes and data (Omitted) to the xml document)
XmlElement encElement; // If no xpath exists If (xpath = string. Empty) { EncElement = this. xmlEncDoc. DocumentElement; } Else { XmlNamespaceManager xmlns = this. xmlCntrlr. xmlnsManager; // Select the element to be encrypted through xpath EncElement = this. xmlEncDoc. SelectSingleNode (xpath, xmlns) as XmlElement; } |
Use the EncryptedXml class to encrypt data and keys
// Encrypt the xml class EncryptedXml xmlEnc = new EncryptedXml (this. xmlEncDoc ); // Add a "session" key and use rsa Encoding XmlEnc. AddKeyNameMapping ("session", rsa ); // Use the "session" key to encrypt data // The information is stored under the KeyInfo element. EncryptedData encData = xmlEnc. Encrypt (encElement, "session "); |
Replace the initial element with the encrypted Element
// Replace the initial element with the encrypted Element EncryptedXml. ReplaceElement (encElement, encData, false ); |
Use. net to decrypt xml
First, load the private asymmetric key to decrypt the key.
// Create an asymmetric key for decryption. RSACryptoServiceProvider rsa = new RSACryptoServiceProvider (); // Load the Private Key XmlDocument privKeys = new XmlDocument (); PrivKeys. Load (Application. StartupPath + "\ xml. dev. keys. private "); // Use a private key to decrypt the key Rsa. FromXmlString (privKeys. OuterXml ); Add a key name and map it to the encrypted document. // Add a key name and map it to the encrypted document. EncryptedXml encXml = new EncryptedXml (xmlEncDoc ); EncXml. AddKeyNameMapping ("session", rsa ); Decrypts each EncryptedData element of a document using the specified key. // Decrypt all <EncryptedData> Elements EncXml. DecryptDocument (); |
Summary
Xml Encryption is the w3c standard for encrypting XML. The encrypted document is still in xml format. We use asymmetric and symmetric algorithms to encrypt xml. symmetric algorithms are used to encrypt data. asymmetric algorithms are used to encrypt keys in symmetric algorithms. encrypted data is stored in the EncryptedData element. The EncryptedData element contains sub-elements used to describe algorithms and key information.