"XML Encryption" encompasses the encryption of any kind of data, including the encryption of XML [XMLENC]. What makes it XML Encryption is that an XML element (either an EncryptedData or EncryptedKey element) contains or refers to the cipher text, keying information, and algorithms. 15.1.1 Why Another Encryption Syntax?As with XMLDSIG, the motivation for a new XML syntax, instead of using existing binary and text syntaxes, was the desire to have encryption information and cipher text as structures that could be created, manipulated, and analyzed with XML tools. You can conveniently encrypt parts of XML documents, thereby smoothly integrating them in XML-based Web services. In addition, you can easily use XML pointers into the structure, make assertions about it, and have it point into other XML structures. Even just displaying and looking at a structure normally in the XML world becomes much easier if the structure is XML. By the time the XML Encryption effort got rolling, the KeyInfo element existed and a syntax for algorithms had been specified in connection with XMLDSIG. Thus a few of the steps needed to develop XML Encryption had already been taken. 15.1.2 Encryption GranularityYou can use XML Encryption for encrypting arbitrary data. When using it to encrypt XML in place, however, this standard is limited to encrypting an entire element or the entire content of an element. The resulting EncryptedData element then replaces the encrypted element or the encrypted content.
15.1.3 Enveloping and Detached EncryptionThe EncryptedData element produced by XML Encryption envelopes or references the cipher text. With enveloping encryption (Figure 15-1), the raw encrypted data consists of the CipherValue element's content. With referencing encryption (Figure 15-2), the CipherReference element's URI attribute points to the location of the raw encrypted data. Figure 15-1. Enveloping encryptionFigure 15-2. Detached encryptionAlthough "enveloped" signatures make sense (see Chapter 10), the concept of an "enveloped" encryption used in the same way does not work. If you encrypt all information about the encryption, including the algorithm and any keying or other information, that information would become useless that is, you would need to decrypt it to get the information you need to decrypt it. The term "enveloped encryption" refers to something quite different: encrypting data with a symmetric key and then encrypting that key with one or more public keys, as described in Chapter 2.
|