Introduced
We have 3 ways to encrypt XML
1, only using symmetric encryption method to encrypt XML
This encryption method uses only one key, meaning that both the encrypted XML and the decryption XML use an identical key. Because the key is not saved in the encrypted XML, we need to load the key in the process of encrypting and decrypting and protecting it from being stolen.
2, the use of symmetric encryption and asymmetric encryption method to encrypt the XML
This method requires a symmetric key to encrypt the data and an asymmetric key to protect the symmetric key. The encrypted symmetric key is stored with the encrypted data in the XML document. When encrypting a key with a private asymmetric key, the key is encrypted with a public asymmetric key.
This method will be used in this article. To learn more, see MSDN for more information.
(Translator Note: An asymmetric encryption algorithm requires two keys: Public key (PublicKey) and private key (Privatekey). Public key is a pair of private key, if the data is encrypted with public key, only the corresponding private key can be decrypted, if the data is encrypted with private key, then only the corresponding public key can be decrypted. Because encryption and decryption use two different keys, this algorithm is called an asymmetric encryption algorithm. )
3. Encrypt XML using X.509, which uses X.509 as an asymmetric key, which is provided by a third party such as VeriSign.
Method
Regardless of how XML encryption is done, it is always one of two ways to save encrypted data.
1, after the encryption of all elements are named <EncryptedData>
2. Only data is replaced after encryption, and element names are still readable and do not change.
This subtle change is very important. For example:
If your XML document includes a root element called <employee>, the root element has a child element called <WrittenWarning> that stores a detailed message. If you send this XML and want to <WrittenWarning> this element to be protected, then using the 1th method <WrittenWarning> will be replaced with <ENCRYPTEDDATA> You will not get any readable information from the encrypted document.
If you use the 2nd method, the <WrittenWarning> element is still preserved and only data is encrypted. Anyone who gets the document doesn't know the details of the element, but still knows something is happening to the employee. In addition, all properties of the,<writtenwarning> element are not encrypted.
Therefore, if there is no special needs, we generally use the 1th method. In. NET 2.0 you can easily choose which method to use by modifying the properties of a Boolean value.
Examples of XML encryption
The following example of XML encryption uses the asymmetric encryption method to encrypt the contents of the XML document under the author element and replace the author element with <EncryptedData>.
XML document:
<?xml version= "1.0" standalone= "no"?> <article> <articleinfo> <title>xpath Queries on XmlDocument objects in. NET 1.1</title> <abstract> <para>this article covers the basics.</para> </abstract> <author> <firstname>George</firstname> <surname>James</surname> <email>gjames@doman.com</email> </author> </articleinfo> </article> |
An XPath expression is/article/articleinfo/author
Encrypted XML document:
<?xml version= "1.0" standalone= "no"?> <article> <articleinfo> <title>xpath Queries on XmlDocument objects in. NET 1.1</title> <abstract> <para>this article covers the basics.</para> <para>this article does not cover.</para> </abstract> <encrypteddata type= "Http://www.w3.org/2001/04/xmlenc#Element" xmlns= "http://www.w3.org/2001/04/xmlenc#" > <encryptionmethod algorithm= "HTTP://WWW.W3.ORG/2001/04/XMLENC#AES256-CBC"/> <keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" > <encryptedkey xmlns= "http://www.w3.org/2001/04/xmlenc#" > <encryptionmethod algorithm= "Http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <keyinfo xmlns= "http://www.w3.org/2000/09/xmldsig#" > <KeyName>session</KeyName> </KeyInfo> <CipherData> <CipherValue>r4f7SI1aZKSvibb...</CipherValue> </CipherData> </EncryptedKey> </KeyInfo> <CipherData> <CipherValue>sGNhKqcSovipJdOFCFKYEEMRFd...</CipherValue> </CipherData> </EncryptedData> </articleinfo> </article> |
The author element and its child elements are replaced by <EncryptedData>, and other elements such as cryptographic algorithms, keys, and so on are also included.
<EncryptedData> elements
With a closer look at the tree structure of the <EncryptedData> element, you will find that there are many child elements that are decomposed under the <EncryptedData> element. Where the <KeyInfo> element is the same as the <KeyInfo> element in the XML digital signature.
The EncryptedData element is included in the "http://www.w3.org/2001/04/xmlenc#" namespace. It is the root element of the encrypted data.
The EncryptionMethod element specifies the symmetric method of the encrypted data. To do this you need to use an algorithm attribute that contains the W3 URL-"HTTP://WWW.W3.ORG/2001/04/XMLENC#AES256-CBC", which indicates that the data is encrypted with AES (Rijndael) with a 256k key.
The KeyInfo element is derived from an XML digital signature that holds information about the symmetric key, in addition to the element's ability to hold more information.
The EncryptedKey element and its child elements under the KeyInfo element contain information about the key being saved.
The EncryptionMethod element contained in KeyInfo is used to encrypt the symmetric key by using an asymmetric encryption method. To do this you need to set an algorithm attribute to the W3 URL. For example, the "http://www.w3.org/2001/04/xmlenc#rsa-1_5" description uses the RSA asymmetric algorithm to encrypt the symmetric key.
The KeyName element is an identifier that is used to discover the key. You will find the importance of it later in our programming.
The CipherData element and the CipherValue element appear under the EncryptedKey element and the EncryptedData element, which contains the password data. In fact, the password data is stored under the CipherValue element. The EncryptedKey element holds the encrypted key, and the ciphervalue stored under the EncryptedData element is the encrypted data.
Asymmetric XML Encryption Step
The process of XML encryption can be summed up in the following five steps:
1. Select an element in the XML document (select the root element to encrypt the entire document)
2. Encrypt elements with a symmetric key
3, using asymmetric encryption to encrypt the above symmetric key (using public key)
4. Create a EncryptedData element that will contain the encrypted data and the encrypted key
5, replace the original element with the encrypted element.
Most of these steps can be done automatically using the classes in. NET 2.0.
Asymmetric XML Decryption Step
The process of XML decryption can be summed up in the following four steps:
1. Select a EncryptedData element in the XML document
2. Use an asymmetric key to decrypt the key (using private key)
3, using unencrypted key to decrypt the data
4. Replace EncryptedData elements with unencrypted elements
Most of these steps can be done automatically using the classes in. NET 2.0.
Name space
To complete the encryption of XML, we need to introduce three namespaces
System.Xml-classes that contain manipulating Xml
System.Security.Cryptography-contains classes that generate encryption keys
SYSTEM.SECURITY.CRYPTOGRAPHY.XML-Contains classes that complete the encryption task
Using. NET encryption XML
This article provides a simple encryption, decryption XML application, let's look at the relevant code together. This example has only a few basic features, and you can add a few additional features such as SELECT nodes
First load the asymmetric public key to encrypt the key
Create an asymmetric key for encryption key RSACryptoServiceProvider RSA = new RSACryptoServiceProvider (); Load a public key XmlDocument pubkeys = new XmlDocument (); Pubkeys.load (Application.startuppath + "\\xml.dev.keys.public"); Using public key encryption keys Rsa. Fromxmlstring (Pubkeys.outerxml); |
Next, load the XML document and select a node that needs to be encrypted. The following code example uses an XPath expression to select a node. If you do not select a node, the entire XML document is encrypted.
XML document This.xmlencdoc = new XmlDocument ();
Load some nodes and data into an XML document (omitted)
XmlElement encelement; If no XPath is if (XPath = = string. Empty) { Encelement = this.xmlEncDoc.DocumentElement; } Else { XmlNamespaceManager xmlns = this.xmlCntrlr.xmlnsManager; Select the elements that need to be encrypted through XPath Encelement = This.xmlEncDoc.SelectSingleNode (XPath, xmlns) as XmlElement; } |
Using the Encryptedxml class to encrypt data and keys
The class that completes the encrypted XML Encryptedxml Xmlenc = new Encryptedxml (This.xmlencdoc); Add a "session" key, using RSA encoding Xmlenc.addkeynamemapping ("Session", RSA); Encrypt data by using the "session" key This information is stored under the KeyInfo element EncryptedData encdata = Xmlenc.encrypt (Encelement, "session"); |
Replace the initial element with an encrypted element
Replace the initial element with an encrypted element Encryptedxml.replaceelement (Encelement, Encdata, false); |
Decrypting XML with. Net
To first load the private asymmetric key to decrypt the key
Create an asymmetric key for the decryption key RSACryptoServiceProvider RSA = new RSACryptoServiceProvider (); Load private key XmlDocument privkeys = new XmlDocument (); Privkeys.load (Application.startuppath + "\\xml.dev.keys.private"); Use private key to decrypt key Rsa. Fromxmlstring (Privkeys.outerxml); Add a key name and map to the encrypted document Add a key name and map to the encrypted document Encryptedxml encxml = new Encryptedxml (Xmlencdoc); Encxml.addkeynamemapping ("Session", RSA); Decrypts each EncryptedData element of a document by a specified key Decrypt all <EncryptedData> elements Encxml.decryptdocument (); |
Summarize
XML encryption (XML encryption) is the standard for the cryptographic XML of the consortium. The encrypted document is still in XML format. We use asymmetric and symmetric algorithms to encrypt XML, symmetric algorithms are used to encrypt data, asymmetric algorithms are used to encrypt keys in symmetric algorithms, and encrypted data is stored under EncryptedData elements. The EncryptedData element contains the columns used to describe the child elements of the algorithm and also contains the key information.