XML Encryption in .Net

XML Encryption in .Net

One of the new features being introduced with the Whidbey version of the .Net framework is XML encryption.  XML Encryption allows you to encrypt arbitrary data, and have the result be an XML element.  Much as XML digital signatures are driven through the SignedXml class, this feature is driven through the new EncryptedXml class.  In order to allow this feature to work well with XML digital signatures, there is a special transform included with the framework, that allows the digital signature engine to decrypt the encryption document, and compute the signature over only that portion.

In this posting, I'll build upon the code from my earlier posting on signing an XML document.  In that post, I showed how to use XML digital signatures to verify that nobody had tampered with a CD order from a website.  However, this signature did nothing to hide the purchaser's credit card information from prying eyes.

Encrypting the Document

The first step is to setup an EncryptedXml object, and get a key that will be used for encryption.  This example generates a random RSA key (that is then written to a file, so that it can be used again to verify the signature and decrypt the document), but in real life, a well known key would be used here.  There are two choices for an encryption key -- you could use a symmetric key that both parties know, but this can be problematic for key management purposes.  Instead, I have chosen to use an RSA key.  I will then generate a random symmetric session key to do the actual encryption with, and embed this key within the encrypted document itself.

 

Code

 

After computing the encrypted value, it is placed in an EncryptedData object, along with some information about how the encryption was done, including the name of the key necessary to decrypt the data, the algorithm used for the encryption, and the type of data that was encrypted.  Note that the encryption method is AES-256 since the session key was used for encryption, not the RSA key.  The last step is simply to replace the unencrypted data in the document with the encrypted version.

// replace the original XML with this version
EncryptedXml.ReplaceElement(paymentElem, ed, false);

Modifications to the Signature

In order for the XML digital signature to be able to sign the unencrypted form of the payment element, it must have an XmlDecryptionTransform applied to it.  This transform needs to be setup with an EncryptedXml object that contains the key name mapping for any keys necessary to decrypt the document.  In this case, we can simply pass the EncryptedXml object that we already used to perform the encryption.  Here is the modified code that creates the reference to the content that is to be signed.

 

Code

 

The result

After running this modified code over order.xml, the result is:

 

Code

 

Modifying the Verification Code

The modifications to the code that verify the signature are very minor.  All that needs to be done is to set the SignedXml object up with an EncryptedXml object that contains the necessary key name mappings.  In order to do this, I will first read the key in from the file created by the encryption process, add its name to an EncryptedXml object, and set this property on the SignedXml object.

 

Code
Decrypting the Encrypted Data

Decrypting the encrypted payment value is also trivial.  This can be done simply by calling one method on the EncryptedXml object, which will decrypt any encrypted data in the document using the keys that it has in its key name mapping table, and replace the encrypted version with the decrypted one:

// decrypt the encrypted document
exml.DecryptDocument();
Console.WriteLine("Decrypted payment info: ");
Console.WriteLine(doc.SelectSingleNode("/order/payment").OuterXml);
Published Friday, November 14, 2003 11:10 PM by shawnfa
Filed under: Security, Cryptography, XML
posted @   阿新  阅读(465)  评论(1编辑  收藏  举报
编辑推荐:
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
阅读排行:
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
· 【自荐】一款简洁、开源的在线白板工具 Drawnix
历史上的今天:
2006-08-06 解决Microsoft Visual Studio Code Name "Orcas" 不能安装的问题
点击右上角即可分享
微信分享提示