XML Encryption XML Security

XML Encryption 1.1 is a candidate recommendation

The XML Security Working Group has published the Candidate Recommendation for XML Encryption Syntax and Processing 1.1. The most important update in this version addresses the lately published chosen-ciphertext attacks against the CBC class of algorithms. Besides that, AES 128-GCM is now a required algorithm. AES-GCM is an authenticated encryption algorithm and provides both authentication and privacy. RSA-OAEP, a key transport algorithm, offers more algorithm variants. The other updates were more or less polishing for the final recommendation.

The other updated recommendation is XML Encryption 1.1 CipherReference Processing using 2.0 Transforms, now a candidate recommendation too. This rather short document (for a W3C recommendation!) specifies how the XML Signature 2.0 transform model may be used with XML Encryption 1.1 for CipherReference processing.

XML Encryption XML Security XML Signature

Apache XML Security 1.5.1 available

One month after the 1.5.0 release, the bugfix release 1.5.1 of Apache Santuario is available. Two bugs were fixed: one in XMLSignatureInput when using a BufferedInputStream. The other one caused Santuario to still require Apache Xalan (which was changed to optional in 1.5.0). Besides that, encryption and decryption should work faster now.

XML Encryption XML Security

XML Security Working Group announced last calls for XML Encryption working drafts

The XML Security working group published the last calls for two XML Encryption working drafts: XML Encryption 1.1 contains, besides some other updates, AES-128-GCM, a new mandatory algorithm to implement which addresses the lately published security problems (catastrophe?!) with XML Encryption. This part alone justifies a closer look at the candidate recommendation.

The other last call is about XML Encryption 1.1 CipherReference Processing using 2.0 Transforms. This recommendation makes the usage of CipherReference transform processing easier with XML Encryption (as defined in the XML Security 2.0 spec).

Besides that, test cases for XML Encryption 1.1 and Canonical XML 2.0 have been updated as well. And of course the XML Security Algorithm Cross-Reference which reflects the latest changes to the XML Encryption recommendation.

JCrypTool XML Encryption XML Security XML Security Tools XML Signature

Apache Santuario 1.4.6 available

A new maintenance release (1.4.6) of Apache Santuario, the Apache XML Security project, is available. The release notes are a little bit confusing. Looks like five bugs were fixed. The new version will be available in the next JCrypTool release.

XML Encryption XML Security

Unsafe XML Encryption?!

This analysis (in German, English version is available here) by the well-known Ruhr University Bochum puts XML Encryption into some real trouble. Since there is no solution or workaround, the only possibility is to accept the drawbacks and to use SSL to secure any Web Service communication. Back to good old transportation based security.

XML Encryption XML Security XML Security Tools XML Signature

XML Security tutorials now on GitHub

The German XML Security tutorials are now developed on GitHub. This does not affect the Eclipse XML Security Tools at all; the German tutorials will never be integrated there. The sources are only used to generate the tutorials available on my home page.

I'm working on some content updates. As soon as this will be finished I'll provide a new html version.

XML Encryption XML Security XML Signature

Versions 1.1 of XML Security coming closer

The W3C recently published new working drafts of several XML Security related 1.1 versions: On May 13th, XML Signature Syntax and Processing, XML Encryption Syntax and Processing and XML Security Generic Hybrid Ciphers have been updated. These are so called Last Call Working Drafts, meaning the process is finally coming to an end and we should see the final recommendations within the next (couple of) months (in case there are no major updates required).

XML XML Encryption XML Security XML Signature

Different XML Security drafts updated

Quite a lot of XML Security related drafts were updated during my two months holiday:

XML Signature Syntax and Processing Version 2.0 and Canonical XML Version 2.0 both got updated on March 4th 2010. However both documents are still in working draft stage.

Besides that there is a new XML Encryption Syntax and Processing Version 1.1 from March 16th 2010. This is a working draft too. The XML Security RELAX NG Schemas working draft reflects the latest changes on the RELAX NG schema side.

The likewise updated XML Security Generic Hybrid Ciphers working draft talks about a consistent treatment of asymmetric ciphers when encrypting data. The focus lies on interoperability, which on one side is a nice working draft but comes with the price of another namespace declaration and some new elements for the already complex XML Security recommendations…

And finally there is an update on the XML Security Algorithm Cross-Reference working draft which reflects all updates applied to XML Signature and XML Encryption working drafts (and recommendations) up to version 1.1 (the different working drafts for version 2.0 are not included in this one).

XML Encryption XML Security XML Signature

Apache Santuario 1.4.3 available

Version 1.4.3 of Apache XML Security (Santuario) is available. In case you do use this API you should update as soon as possible to the new release. This release doesn't provide any new features, but includes a lot of bug fixes, including a correction for the relatively serious security vulnerability that has been discovered lately.

Java XML XML Encryption XML Security XML Signature

A whole bunch of new XML Security working drafts

The W3C XML Security Working Group has released eight first public working drafts last week, from updated XML Encryption 1.1 and XML Signature 1.1 specifications to even some new ones. Among others, these drafts include revisions to XML Signature and XML Encryption to support new algorithms and a new document proposing simplifications to the XML Signature Transform model to enhance performance and security.

XML Signature Best Practices experienced some updates to match the latest recommendations. XML Security Derived Keys, XML Signature Properties, XML Security Algorithm Cross-Reference and XML Security Use Cases and Requirements are completely new specifications.

XML Signature Syntax and Processing Version 1.1
This version mostly replaces more or less unsafe algorithms like SHA-1 with SHA-256 or higher (well, SHA-1 is not replaced, it is still a required algorithm, but SHA-256 is required too). Additionally elliptic curve cryptography has arrived in the recommendations in form of the ECPublicKey element and of course the matching algorithms. And we are confronted with a new digital signature namespace Check out the diff-marked version for all changes.

XML Encryption Syntax and Processing Version 1.1
Some updates on required and recommended algorithms too. Elliptic Curve Diffie-Hellman is now a required Key Agreement algorithm. Not too many changes here; and I couldn’t find a diff-marked version.

XML Security Derived Keys
This completely new specification defines a derived key XML type and associated elements, both used in XML Signature and XML Encryption.

XML Signature Properties
Signature properties are nothing new. Up to now it is possible to define any signature property one desires. This is still possible in the future, but this new recommendation will define some commonly used ones. Four properties are defined so far: Profile, Role, Expires and ReplayProtect. I guess we will see some more in the final recommendation…

XML Security Algorithm Cross-Reference
Another new document. And a really, really good idea! This reference contains all algorithms and their corresponding URI used in all XML Security recommendations. Bookmark this page, and never use an incorrect URI again!

XML Signature Best Practices
A collection of best practices, mostly security related, for implementers and users of the XML Signature recommendations. Not everything will be useful in every environment, but clearly this document points into the right direction of making a complex recommendation more practical in the daily usage.

XML Security Use Cases and Requirements
This document summarizes use cases and requirements driving revisions to XML Signature, XML Encryption and XML Canonicalization. Not that interesting for XML Security users.

XML Signature Transform Simplification: Requirements and Design
I like the idea behind this document. Basically it recommends replacing the current reference processing model with a simpler one. And simplicity is always good for security (and for performance). What may(!) happen is an extended Reference element with Selection, Transform and Canonicalization child elements. The Selection element chooses what is to be signed. The Transform element makes sure that you only sign what you see (it has a limited number of transformations that for). And finally the Canonicalization element is used to produce the input for the hash. So the reference processing may change a little bit in the future.