Depending upon the algorithm used and any optional information provided to the recipient to aid in key retrieval and additional decryption information, the structure can become a bit complex. This chapter will be using the Triple DES algorithm for encryption, and the structure
explained in the following sections will provide enough information to support the use of this algorithm.
■ Note Using different encryption algorithms may require the use of elements and attributes not covered in this chapter. The goal of this chapter is to provide enough information and examples so that you can under- stand at least the basic concepts of XML encryption and can begin implementing it using PHP and Triple DES encryption after reading the material. This topic is quite lengthy, and complete coverage is beyond the scope of this book. You can find additional information regarding algorithms, structure, and processing in the speci- fications identified at the beginning of this chapter.
EncryptedData Element
The EncryptedDataelement is the root of the XML encryption structure. It is the container for the structure and holds information regarding the encryption used, key retrieval, and the encrypted data. This element replaces the data being encrypted within an XML document or becomes the root of an XML document if the data being encrypted is an entire XML document or is not an XML document and does not reside within a document.
The element lives within the http://www.w3.org/2001/04/xmlenc#namespace, as do most of its children. The possible children of this element are a CipherDataelement, which is required, and EncryptionMethod, KeyInfo, and EncryptionPropertieselements, which are all optional. Four optional attributes exist. Other than the Idattribute, the attributes help the recipient restore the encrypted data to its original form during decryption:
• The Idattribute specifies an ID for the element.
• The typeattributes identifies the type of data prior to encryption. For example, the value http://www.w3.org/2001/04/xmlenc#Elementspecifies the original data is XML containing either an empty-element tag or a single element and its contents. The value http://www.w3.org/2001/04/xmlenc#Contentindicates that the original data is XML containing the contents of an element, which could consist of mixed content. You can use other values to help in restoring the data to its original state during decryption.
• The MimeTypeattribute can describe the media type of the data that has been encrypted.
• The optional Encodingattribute can indicate the encoding of the original data.
Based on this, an element that has been encrypted would be replaced with the following EncryptedDataelement:
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<!-- Contents of EncryptedData element -->
</EncryptedData>
EncryptionMethod Element
The EncryptionMethodelement is an optional element. It describes the algorithm that was used to encrypt the data. Without this element, the recipient must already know the algorithm used in order to decrypt the data. The child elements on EncryptionMethoddepend upon the type of algorithm used, which is specified by the value of the Algorithmattribute. In this case, the algorithm is Triple DES:
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
No child elements are required for this algorithm. For additional information about pos- sible child elements when using other algorithms, refer to the specifications for this element at http://www.w3.org/TR/xmlenc-core/#sec-EncryptionMethod.
KeyInfo Element
The KeyInfoelement provides information about obtaining the key needed to decrypt the data. It is not required, but when not provided, the recipient must already know the correct key to use in order to decrypt data. This element is from the XML-Signature Syntax and Pro- cessing specification and used according to that specification. Please refer to the section
“Introducing XML Signatures” or the specification for more information.
■ Tip Remember that this element lives in the http://www.w3.org/2000/09/xmldsig#namespace and, when used within XML encryption, must be namespaced properly.
The examples of XML encryption within this chapter do not offer any hints about the key used. The key for the examples is just the string "secret", and the only additional key informa- tion that will be provided is the name of the key, which will be mcryptiv, and the value used for the initialization vector for the mcrypt functions. This value is created when the IV is created during encryption and then sent within the KeyValueelement so that the data can be properly decrypted:
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName>mcryptiv</KeyName>
<KeyValue><!-- Value generated while encrypting --></KeyValue>
</KeyInfo>
CipherData Element
The CipherDataelement is a required element that provides the encrypted data through inclu- sion or by providing a reference to the location of it. It is a container for either a CipherValue element or a CipherReferenceelement. Only one of these elements can be present as the con- tent for this element.
CipherValue Element
The CipherValueelement includes encrypted data within the XML encryption structure. The content of this element is the Base64-encoded value of the encrypted data:
<CipherValue>NMIYVAUsrK/P4+W1N2P811DL2Hpkg9SeCplIp9kxJpGfhXYFM2n29A==</CipherValue>
CipherReference Element
The CipherReferenceelement works in a similar manner to Referenceelements used in XML signatures. It can contain Transformselements, which are not covered in detail in this chapter, but must have a URI attribute used to locate the encrypted data. After processing the URI, which includes processing any Transformsthat may be used, the resulting data must contain the encrypted value. This means that if the data were Base64 encoded, like it is when using a CipherValueelement, it must be decoded prior to finishing processing:
<CipherReference URI="http://www.example.com/remotedata.enc" />
This example would use the data located at http://www.example.com/remotedata.enc.