| This section lists all of the algorithmic elements/roles in the XML Security specifications in alphabetic order. Table 17-1 summarizes the roles. Next, for each role, a subsection briefly describes that role and provides an enumeration of its implicit parameters. The subsections also include a table of algorithms that can be used in that role.  | In this chapter, you will notice a difference between XMLDSIG and XML Encryption in the style of URIs for algorithms that can be considered composed of other algorithms. The XMLDSIG Working Group chose to create single URIs that incorporate all algorithmic elements such as a public key signature algorithm, padding method, and message digest algorithm. Thus we have one URI for RSA-SHA1, another URI for RSA-SHA256, and so on. This format could have been expressed as a single RSA algorithm with an explicit parameter that could be SHA1, SHA256, or other message digest algorithm. Using a single URI is less verbose and encourages the use of compatible "cipher suites." The XML Encryption Working Group chose to move more toward the orthogonal specification of algorithm components that make up an encryption method. For example, AgreementMethod algorithms and OAEP encryption algorithms take an explicit DigestMethod as a parameter rather than encoding this parameter into the AgreementMethod or OAEP-based EncryptionMethod URI. This method is more verbose but more flexible and avoids a combinatorial explosion in the number of URIs if many different combinations might be used. Table 17-1. Algorithm Role Elements | Role Element/Role Section | Function Section(s) | Possible Parent Elements of the Role Element | Security Service in Which Role Is Used | | AgreementMethod Section 17.2.1 | Key Agreement 18.2 | KeyInfo | XMLDSIG XMLENC | | CanonicalizationMethod Section 17.2.2 | Canonicalization 19.1 | SignedInfo | XMLDSIG | | DigestMethod Section 17.2.3 | Message Digests 18.1 | AgreementMethod EncryptionMethod[1] Reference | XMLDSIG XMLENC | | EncryptionMethod Section 17.2.4 | Block Encryption 18.5 Stream Encryption 18.6 Key Transport 18.7 Symmetric Key Wrap 18.8 | EncryptedData EncryptedKey | XMLENC | | Retrieval Method Chapter 14 | None[2] | KeyInfo | XMLDSIG XMLENC | | SignatureMethod Section 17.2.5 | Message Authentication 18.3 Signature 18.4 | SignedInfo | XMLDSIG | | Transform Section 17.2.6 | Canonicalization 19.1 Transform 19.2 | Transforms | XMLDSIG XMLENC | [1] For algorithms specified in this book, DigestMethod appears as a child of Encryption Method only for the RSA- OAEP algorithm, where it is an explicit parameter.
[2] RetrievalMethod is not an algorithmic role, even though its name makes it look like it should be one.
Both philosophies are commonly seen and seem to work. This difference probably reflects the different balance of opinions among the members of the two working groups. |
17.2.1 AgreementMethod An AgreementMethod algorithm element appears as the child of KeyInfo. It takes as implicit input the type of key to be agreed upon, as described in Section 18.2. As explicit input, it takes a DigestMethod, an optional Nonce, and possibly other explicit inputs. As optional explicit input, it takes compatible sender and recipient keying information. From these inputs, it calculates a shared secret key. Table 17-2 lists AgreementMethod algorithms. Table 17-2. Key Agreement Algorithms | Implementation | Name | URI | | XMLDSIG:Optional XMLENC:Optional | Dif .e-Hellman | http://www.w3.org/2001/04/xmlenc#dh | 17.2.2 CanonicalizationMethod The CanonicalizationMethod role performs the canonicalizing of the SignedInfo element in a Signature element. It takes the SignedInfo element as an implicit input. You can also use the canonicalization algorithms with the Transform role element (see Section 17.2.6). Because you can use Transform in both signatures and encryption, implementation requirements for both are listed here. Table 17-3 lists canonicalization algorithms. 17.2.3 DigestMethod The DigestMethod appears as the child of a Reference. As an implicit input, it takes the data referred to by the Reference URI attribute, after processing by any Transform elements specified. Table 17-3. Canonicalization Algorithms | Implementation | Name/ | | URI | | XMLDSIG: Required XMLENC: Recommended | Canonical XML | | http://www.w3.org/TR/2001/REC-xml-c14n-20010315 | | XMLDSIG: Recommended XMLENC: Required | Canonical XML with Comments | | http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments | | XMLDSIG: Required[1] XMLENC: Optional | Exclusive XML Canonicalization | | http://www.w3.org/TR/xml-exc-c14n# | | XMLDSIG: Recommended[1] XMLENC: Optional | Exclusive XML Canonicalization with Comments | | http://www.w3.org/TR/xml-exc-c14n#WithComments | | XMLDSIG: Not Recommended[2] XMLENC: Not Recommended | Minimal Canonicalization | | http://www.w3.org/2000/09/xmldsig#minimal | [1] Exclusive XML Canonicalization does not actually appear in the XMLDSIG Recommendation. As explained in Chapter 9, it is the most appropriate canonicalization for signatures where the context of the signed XML may change. Its listing here as "Required"should therefore be considered editorial.
[2] As explained in Section 19.1, minimal canonicalization is a text- based canonicalization, not an XML- based algorithm.
The DigestMethod can also appear as the child of EncryptionMethod, if the encryption algorithm specified is RSA-OAEP, or as a child of AgreementMethod. In these cases, its use and implicit inputs are complex, as described in Sections 18.7.2 and 18.2. Table 17-4 lists DigestMethod algorithms. | SHA384 was not popular with XML Security working groups. It does the same work as SHA512, albeit using different constants, and then truncates the output from 512 to 384 bits. For XML applications, where terseness is not a goal, there is little reason not to just use SHA512 instead of SHA384. Some argument focused on the inclusion of RIPEMD-160. The XML Encryption Working Group decided that without it the list would be too "U.S.-centric" and that Europeans were bound to use it anyway, so a standard URI for it might as well be specified. (While RIPEMD-256 produces a 256-bit message digest, it was not included because it has only 160 bits of strength.) |
17.2.4 EncryptionMethod EncryptionMethod appears as a child of either the EncryptedData or EncryptedKey element. In the first case, its role is specified for the encryption and decryption of data. In the second case, its role is normally specified for the encryption and decryption of a key. In both cases, it takes, as implicit inputs, keying information and the plain text to encrypt or cipher text to decrypt. Table 17-5 lists encryption algorithms. | The XML Encryption Working Group's logic in setting the implementation requirements of the various key lengths in AES was as follows: For almost all uses, 128 bits is probably adequate. Paranoid developers will want to use 256 bits. Thus, these two lengths are required. A length of 192 bits is stronger than most anyone needs but not strong enough for the paranoid, so who would want to use it? As a result, it is optional to implement. |
17.2.5 SignatureMethod SignatureMethod appears as the child of a SignedInfo element. This algorithmic role is applied to the result from CanonicalizationMethod and the keying material, which are its implicit inputs, to yield the SignatureValue. Table 17-6 lists authentication algorithms. Table 17-4. Message Digest Algorithms | Implementation | Name | URI | | XMLDSIG: Required XMLENC: Required | SHA1 | http://www.w3.org/2000/09/xmldsig#sha1 | | XMLDSIG: Recommended XMLENC: Recommended | SHA256 | http://www.w3.org/2001/04/xmlenc#sha256 | | XMLDSIG: Optional XMLENC: Optional | SHA384 | http://www.w3.org/2001/04/xmldsig-more#sha384 | | XMLDSIG: Optional XMLENC: Optional | SHA512 | http://www.w3.org/2001/04/xmlenc#sha512 | | XMLDSIG: Optional XMLENC: Optional | RIPEMD160 | http://www.w3.org/2001/04/xmlenc#ripemd160 | | XMLDSIG: Optional XMLENC: Optional | MD5 | http://www.w3.org/2001/04/xmldsig-more#md5 | Table 17-5. Encryption Algorithms | Implementation (XMLENC Only) | Name | URI | | Required | TRIPLEDES | http://www.w3.org/2001/04/xmlenc#tripledes-cbc | | Required | AES- 128 | http://www.w3.org/2001/04/xmlenc#aes128-cbc | | Required | AES- 256 | http://www.w3.org/2001/04/xmlenc#aes256-cbc | | Required | RSA- v1.5 | http://www.w3.org/2001/04/xmlenc#rsa-1_5 | | Required | RSA- OAEP | http://www.w3.org/2001/04/xmlenc#rsa-oaep-mbg1p | | Required | Triple DES Key Wrap | http://www.w3.org/2001/04/xmlenc#kw-tripledes | | Required | AES- 128 Key Wrap | http://www.w3.org/2001/04/xmlenc#kw-aes128 | | Required | AES- 256 Key Wrap | http://www.w3.org/2001/04/xmlenc#kw-aes256 | | Optional | AES- 192 | http://www.w3.org/2001/04/xmlenc#aes192-cbc | | Optional | ARCFOUR | http://www.w3.org/2001/04/xmldsig-more#arcfour | | Optional | AES- 192 Key Wrap | http://www.w3.org/2001/04/xmlenc#kw-aes192 | Table 17-6. Signature Algorithms | Implementation (XMLDSIG Only) | Name | URI | | Required | DSAwithSHA1 | http://www.w3.org/2000/09/xmldsig#dsa-sha1 | | Required | HMAC- SHA1 | http://www.w3.org/2000/09/xmldsig#hmac-sha1 | | Recommended | RSAwithSHA1 | http://www.w3.org/2000/09/xmldsig#rsa-sha1 | | Optional | HMAC- MD5 | http://www.w3.org/2001/04/xmldsig-more#hmac-md5 | | Optional | HMAC- SHA256 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha256 | | Optional | HMAC- SHA384 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha384 | | Optional | HMAC- SHA512 | http://www.w3.org/2001/04/xmldsig-more#hmac-sha512 | | Optional | HMAC- RIPEMD160 | http://www.w3.org/2001/04/xmldsig-more#hmac-ripemd160 | | Optional | RSAwithSHA256 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 | | Optional | RSAwithSHA384 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha384 | | Optional | RSAwithSHA512 | http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 | | Optional | RSAwithRIPEMD160 | http://www.w3.org/2001/04/xmldsig-more#rsa-ripemd160 | | Not Recommended | RSAwithMD5 | http://www.w3.org/2001/04/xmldsig-more#rsa-md5 | 17.2.6 Transform Transform algorithms appear in a Transforms element, which in turn is the child of a Reference, RetrievalMethod, or CipherReference element. These algorithms take one implicit input, which can be either an XPath node-set or an octet sequence. This input comes from the previous Transform, if one exists. Otherwise, it consists of the data to which the Reference, RetrievalMethod, or CipherReference ancestor of the Transform refers. See Chapter 10 for more information on the Transforms data pipeline model. Table 17-7 lists Transform algorithms, other than canonicalization algorithms.  | You can also use all CanonicalizationMethod algorithms described in Section 17.2.1 as Transform algorithms. |
Table 17-7. Transform Algorithms | Implementation | Name | URI | | XMLDSIG: Required XMLENC: N/ A | Enveloped Signature | http://www.w3.org/2000/09/xmldsig#enveloped-signature | | XMLDSIG: Required XMLENC: Required | Base64 | http://www.w3.org/2000/09/xmldsig#base64 | | XMLDSIG: Recommended XMLENC: Recommended | XPath | http://www.w3.org/TR/1999/REC-xpath-19991116 | | XMLDSIG: Recommended XMLENC: N/A | Decryption Transform | http://www.w3.org/2001/04/decrypt# | | XMLDSIG: Optional XMLENC: Optional | XSLT | http://www.w3.org/TR/1999/REC-xslt-19991116 | | XMLDSIG: Recommended[1] XMLENC: Optional | XPointer | http://www.w3.org/2001/04/xmldsig-more/xptr | | XMLDSIG: Experimental XMLENC: Experimental | Schema | http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/ | [1] This Recommended status applies only to a very limited number of XPointer facilities. The rest of XPointer is Optional. ( See Chapter 10. )
|
