18.5 Block Encryption Algorithms

Block encryption algorithms are designed for encrypting and decrypting data. Their identifiers normally appear as the value of the Algorithm attributes of EncryptionMethod elements that are children of EncryptedData (see Figure 18-1).

Block encryption algorithms take, as implicit arguments, the data to encrypt or decrypt, the keying material, and their direction of operation. All of the algorithms specified in this section require an initialization vector (IV). This IV is encoded with the cipher text. For user-specified block encryption algorithms, the IV, if any, could be specified as being with the cipher data, as the content of an algorithm element, or elsewhere.

The IV is prefixed to and encoded with the data for the block encryption algorithms for ease of availability to the decryption code and to emphasize its association with the cipher text. Good cryptographic practice requires that you use a different IV for every encryption.

Padding

Because the data being encrypted consists of an arbitrary number of octets, the data size may not be a multiple of the block size. Padding the plain text up to the block size before encryption and unpadding after decryption resolves this discrepancy. The padding algorithm is to calculate the smallest nonzero number of octets say, N that must be suffixed to the plain text to bring it up to a multiple of the block size. We will assume the block size is B octets, so N is in the range of 1 to B. Pad by suffixing the plain text with N 1 arbitrary pad bytes and a final byte whose value is N. On decryption, take the last byte and, after "sanity checking" it, strip that many bytes from the end of the decrypted cipher text.

For example, assume an eight-byte block size and plain text of 0x616263. The padded plain text would then be 0x616263????????05, where the "??" bytes can be any value. Similarly, plain text of 0x2122232425262728 would be padded to 0x2122232425262728??????????????08.

18.5.1 Triple DES

 TRIPLEDES Identifier:     http://www.w3.org/2001/04/xmlenc#tripledes-cbc 

The triple DES algorithm is described in [FIPS 46-3] and ANSI X9.52 [3DES]. It is composed of three sequential DES operations. Encryption applications must implement triple DES for data encryption.

Triple DES consists of a DES encrypt, a DES decrypt, and a DES encrypt used in Cipher Block Chaining (CBC) mode [FIPS 81] with 192 bits of key and a 64-bit IV. Of the key bits, the first 64 bits are used in the first DES operation, the second 64 bits in the middle DES operation, and the third 64 bits in the last DES operation.

Each 64 key bits contain 56 effective bits and 8 parity bits. Thus the 192 bits being transported for a triple DES key contain only 168 operational bits. (Depending on the criterion used for analysis, the effective key strength may be thought to be 112, due to "meet in the middle" attacks, or even slightly less.)

The IV prefixes the resulting cipher text before being encoded in base-64 for inclusion in XML output. An example triple DES EncryptionMethod follows:

 <EncryptionMethod   Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> 

18.5.2 AES

 AES Identifiers:     http://www.w3.org/2001/04/xmlenc#aes128-cbc     http://www.w3.org/2001/04/xmlenc#aes192-cbc     http://www.w3.org/2001/04/xmlenc#aes256-cbc 

The Advanced Encryption Standard (AES) algorithm is described in [FIPS 197]. XML Encryption implementations must support AES with 128-bit and 256-bit keys. AES may also optionally be implemented for 192-bit keys. It has a 128-bit block size and is used in CBC mode with a 128-bit IV. The IV prefixes the resulting cipher text before being encoded in base-64 for inclusion in XML output. An example AES EncryptionMethod follows:

 <EncryptionMethod   Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>