XML Encryption Syntax and Processing (�NjL) Version 1.1 (�NjL�����܂�)

1.1 Editorial and Conformance Conventions

This specification uses XML schemas [ (�폜) XML-schema (�폜�����܂�) (�NjL) XMLSCHEMA-1 (�NjL�����܂�) (�NjL) ], [ (�NjL�����܂�)(�NjL) XMLSCHEMA-2 (�NjL�����܂�) ] to describe the content model. (�NjL) The full normative grammar is defined by the XSD schema and the normative text in this specification. The standalone XSD schema file is authoritative in case there is any disagreement between it and the XSD schema portions. (�NjL�����܂�)

The key words (�폜) "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", (�폜�����܂�) (�NjL) " (�NjL�����܂�)(�NjL) must (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) must not (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) required (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) shall (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) shall not (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) should (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) should not (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) recommended (�NjL�����܂�)(�NjL) ", " (�NjL�����܂�)(�NjL) may (�NjL�����܂�)(�NjL) ", (�NjL�����܂�) and (�폜) "OPTIONAL" (�폜�����܂�) (�NjL) " (�NjL�����܂�)(�NjL) optional (�NjL�����܂�)(�NjL) " (�NjL�����܂�) in this specification are to be interpreted as described in (�폜) RFC2119 (�폜�����܂�) [ (�폜) KEYWORDS (�폜�����܂�) (�NjL) RFC2119 (�NjL�����܂�) ]:

(�폜) "they MUST (�폜�����܂�) (�NjL) "They (�NjL�����܂�)(�NjL) must (�NjL�����܂�) only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmissions)"

Consequently, we use these capitalized keywords to unambiguously specify requirements over protocol and application features and behavior that affect the interoperability and security of implementations. These key words are not used (capitalized) to describe XML grammar; schema definitions unambiguously describe such requirements and we wish to reserve the prominence of these terms for the natural language descriptions of protocols and features. For instance, an XML attribute might be described as being (�폜) "optional." (�폜�����܂�) (�NjL) "optional". (�NjL�����܂�) Compliance with the XML-namespace specification [ (�폜) XML-NS (�폜�����܂�) (�NjL) XML-NAMES (�NjL�����܂�) ] is described as (�폜) "REQUIRED." (�폜�����܂�) (�NjL) " (�NjL�����܂�)(�NjL) required (�NjL�����܂�)(�NjL) ". (�NjL�����܂�)

1.2 Design Philosophy

The design philosophy and requirements of this specification (including the limitations related to instance validity) are addressed in the (�NjL) original (�NjL�����܂�) XML Encryption Requirements [ (�폜) EncReq (�폜�����܂�) (�NjL) XML-ENCRYPTION-REQ (�NjL�����܂�) (�NjL) ] and the XML Security 1.1 Requirements document [ (�NjL�����܂�)(�NjL) XMLSEC11-REQS (�NjL�����܂�) ].

1.3 (�폜) Versions , (�폜�����܂�) (�NjL) Versions, (�NjL�����܂�) Namespaces, URIs, and Identifiers

(�폜) No provision is made for an explicit version number in this syntax. If a future version is needed, it will (�폜�����܂�) (�NjL) This specification makes (�NjL�����܂�) use (�폜) a different namespace. The experimental (�폜�����܂�) (�NjL) of (�NjL�����܂�) XML (�폜) namespace (�폜�����܂�) (�NjL) namespaces, and uses Uniform Resource Identifiers (�NjL�����܂�) [ (�폜) XML-NS (�폜�����܂�) (�NjL) URI (�NjL�����܂�) ] (�폜) URI that MUST be used by implementations (�폜�����܂�) (�NjL) to identify resources, algorithms, and semantics. (�NjL�����܂�)

(�NjL) Implementations (�NjL�����܂�) of this (�폜) (dated) (�폜�����܂�) specification (�폜) is: (�폜�����܂�) (�NjL) must (�NjL�����܂�)(�NjL) use the following XML namespace URIs: (�NjL�����܂�)

(�NjL) The (�NjL�����܂�)(�NjL) http://www.w3.org/2001/04/xmlenc# (�NjL�����܂�)(�NjL) ( (�NjL�����܂�)(�NjL) xenc: (�NjL�����܂�)(�NjL) ) namespace was introduced (�NjL�����܂�) in (�NjL) version 1.0 of (�NjL�����܂�) this specification. (�폜) For example " (�폜�����܂�) (�NjL) The present version does not coin any new elements or algorithm identifiers in that namespace; instead, the (�NjL�����܂�) (�폜) &xenc;Element" (�폜�����܂�) (�NjL) http://www.w3.org/2009/xmlenc11# (�NjL�����܂�) (�폜) corresponds to "http://www.w3.org/2001/04/xmlenc#Element". (�폜�����܂�) (�NjL) ( (�NjL�����܂�)(�NjL) xenc11: (�NjL�����܂�)(�NjL) ) namespace is used. (�NjL�����܂�)

(�폜) This (�폜�����܂�) (�NjL) No provision is made for an explicit version number in this syntax. If a future version of this (�NjL�����܂�) specification (�폜) makes use (�폜�����܂�) (�NjL) requires explicit versioning (�NjL�����܂�) of the (�폜) XML Signature [ XML-DSIG ] (�폜�����܂�) (�NjL) document format, a different (�NjL�����܂�) namespace (�폜) and schema definitions (�폜�����܂�) (�NjL) will be used. (�NjL�����܂�)

(�폜) URIs [ URI ] MUST abide by the [ XML-Schema ] anyURI type definition (�폜�����܂�) (�NjL) Additionally, this specification uses elements (�NjL�����܂�) and (�NjL) algorithm identifiers from (�NjL�����܂�) the (�NjL) XML Signature name spaces (�NjL�����܂�) [ (�폜) XML-DSIG , 4.3.3.1 The URI Attribute (�폜�����܂�) (�NjL) XMLDSIG-CORE1 (�NjL�����܂�) (�폜) ] specification (i.e., permitted characters, character escaping, scheme support, etc.). (�폜�����܂�) (�NjL) ]: (�NjL�����܂�)

(�폜) 1.4 Acknowledgements (�폜�����܂�) (�NjL) 1.4 (�NjL�����܂�)(�NjL) Acknowledgements (�NjL�����܂�)

The contributions of the following Working Group members to this specification are gratefully acknowledged in accordance with the contributor policies and the active WG roster (�폜) . (�폜�����܂�) : Joseph (�폜) Ashwood (�폜�����܂�) (�NjL) Ashwood, (�NjL�����܂�) Simon Blake-Wilson, (�폜) Certicom (�폜�����܂�) (�NjL) Certicom, (�NjL�����܂�) Frank D. Cavallito, BEA (�폜) Systems (�폜�����܂�) (�NjL) Systems, (�NjL�����܂�) Eric Cohen, (�폜) PricewaterhouseCoopers (�폜�����܂�) (�NjL) PricewaterhouseCoopers, (�NjL�����܂�) Blair Dillaway, Microsoft (�폜) (Author) (�폜�����܂�) (�NjL) (Author), (�NjL�����܂�) Blake Dournaee, RSA (�폜) Security (�폜�����܂�) (�NjL) Security, (�NjL�����܂�) Donald Eastlake, Motorola (�폜) (Editor) (�폜�����܂�) (�NjL) (Editor), (�NjL�����܂�) Barb Fox, (�폜) Microsoft (�폜�����܂�) (�NjL) Microsoft, (�NjL�����܂�) Christian Geuer-Pollmann, University of (�폜) Siegen (�폜�����܂�) (�NjL) Siegen, (�NjL�����܂�) Tom Gindin, (�폜) IBM (�폜�����܂�) (�NjL) IBM, (�NjL�����܂�) Jiandong Guo, (�폜) Phaos (�폜�����܂�) (�NjL) Phaos, (�NjL�����܂�) Phillip Hallam-Baker, (�폜) Verisign (�폜�����܂�) (�NjL) Verisign, (�NjL�����܂�) Amir Herzberg, (�폜) NewGenPay (�폜�����܂�) (�NjL) NewGenPay, (�NjL�����܂�) Merlin Hughes, (�폜) Baltimore (�폜�����܂�) (�NjL) Baltimore, (�NjL�����܂�) Frederick (�폜) Hirsch (�폜�����܂�) (�NjL) Hirsch, (�NjL�����܂�) Maryann Hondo, (�폜) IBM (�폜�����܂�) (�NjL) IBM, (�NjL�����܂�) Takeshi Imamura, IBM (�폜) (Author) (�폜�����܂�) (�NjL) (Author), (�NjL�����܂�) Mike Just, Entrust, (�폜) Inc. (�폜�����܂�) (�NjL) Inc., (�NjL�����܂�) Brian LaMacchia, (�폜) Microsoft (�폜�����܂�) (�NjL) Microsoft, (�NjL�����܂�) Hiroshi Maruyama, (�폜) IBM (�폜�����܂�) (�NjL) IBM, (�NjL�����܂�) John Messing, (�폜) Law-on-Line (�폜�����܂�) (�NjL) Law-on-Line, (�NjL�����܂�) Shivaram Mysore, Sun (�폜) Microsystems (�폜�����܂�) (�NjL) Microsystems, (�NjL�����܂�) Thane Plambeck, (�폜) Verisign (�폜�����܂�) (�NjL) Verisign, (�NjL�����܂�) Joseph Reagle, W3C (Chair, (�폜) Editor) (�폜�����܂�) (�NjL) Editor), (�NjL�����܂�) Aleksey (�폜) Sanin (�폜�����܂�) (�NjL) Sanin, (�NjL�����܂�) Jim Schaad, Soaring Hawk (�폜) Consulting (�폜�����܂�) (�NjL) Consulting, (�NjL�����܂�) Ed Simon, XMLsec (�폜) (Author) (�폜�����܂�) (�NjL) (Author), (�NjL�����܂�) Daniel Toth, (�폜) Ford (�폜�����܂�) (�NjL) Ford, (�NjL�����܂�) Yongge Wang, (�폜) Certicom (�폜�����܂�) (�NjL) Certicom, (�NjL�����܂�) Steve Wiley, (�폜) myProof (�폜�����܂�) (�NjL) myProof. (�NjL�����܂�)

Additionally, we thank the following for their comments during and subsequent to Last Call: Martin (�폜) D?rst, (�폜�����܂�) (�NjL) D�e�Vrst, (�NjL�����܂�) W3C , Dan Lanz, (�폜) Zolera (�폜�����܂�) (�NjL) Zolera, (�NjL�����܂�) Susan Lesch, W3C , David Orchard, BEA (�폜) Systems (�폜�����܂�) (�NjL) Systems, (�NjL�����܂�) Ronald Rivest, MIT .

(�NjL) Contributions for version 1.1 were received from the members of the XML Security Working Group: Scott Cantor, Juan Carlos Cruellas, Pratik Datta, Gerald Edgar, Ken Graf, Phillip Hallam-Baker, Brad Hill, Frederick Hirsch, Brian LaMacchia, Konrad Lanz, Hal Lockhart, Cynthia Martin, Rob Miller, Sean Mullan, Shivaram Mysore, Magnus Nystr�e�Jm, Bruce Rich, Thomas Roessler, Ed Simon, Chris Solc, John Wray, Kelvin Yiu. (�NjL�����܂�)

(�NjL) The working group also acknowledges the contribution of Juraj Somorovsky raising the issue of the CBC chosen ciphertext attack and contributions to revising the security considerations of XML Encryption 1.1. (�NjL�����܂�)

2.1 Encryption Granularity

(�NjL) This section is non-normative. (�NjL�����܂�)

(�NjL) Note: Examples in this document do not consider plaintext guessing attacks or other risks, and are only for illustrative purposes. (�NjL�����܂�)

Consider the following fictitious payment information, which includes identification information and information appropriate to a payment method (e.g., credit card, money transfer, or electronic check):

This markup represents that John Smith is using his credit card with a limit of 5,000�h��USD.

2.2 EncryptedData and EncryptedKey Usage

3.1 The EncryptedType Element

EncryptedType is the abstract type from which EncryptedData and EncryptedKey are derived. While these two latter element types are very similar with respect to their content models, a syntactical distinction is useful to processing. (�폜) Implementation MUST (�폜�����܂�) (�NjL) Implementations (�NjL�����܂�)(�NjL) must (�NjL�����܂�) generate laxly schema valid [ (�폜) XML-schema (�폜�����܂�) (�NjL) XMLSCHEMA-1 (�NjL�����܂�) (�NjL) ], [ (�NjL�����܂�)(�NjL) XMLSCHEMA-2 (�NjL�����܂�) ] EncryptedData or EncryptedKey (�NjL) elements (�NjL�����܂�) as specified by the subsequent schema declarations. (Note the laxly schema valid generation means that the content permitted by xsd:ANY need not be valid.) Implementations (�폜) SHOULD (�폜�����܂�) (�NjL) should (�NjL�����܂�) create these XML structures ( EncryptedType elements and their (�폜) descendents/content) (�폜�����܂�) (�NjL) descendants/content) (�NjL�����܂�) in Normalization Form C [ NFC (�폜) , NFC-Corrigendum (�폜�����܂�) ].

EncryptionMethod is an optional element that describes the encryption algorithm applied to the cipher data. If the element is absent, the encryption algorithm must be known by the recipient or the decryption will fail.

ds:KeyInfo is an optional element, defined by [ (�폜) XML-DSIG (�폜�����܂�) (�NjL) XMLDSIG-CORE1 (�NjL�����܂�) ], that carries information about the key used to encrypt the data. Subsequent sections of this specification define new elements that may appear as children of ds:KeyInfo .

CipherData is a mandatory element that contains the CipherValue or CipherReference with the encrypted data.

EncryptionProperties can contain additional information concerning the generation of the EncryptedType (e.g., date/time stamp).

Id is an optional attribute providing for the standard method of assigning a string id to the element within the document context.

Type is an optional attribute identifying type information about the plaintext form of the encrypted content. While optional, this specification takes advantage of it for (�폜) mandatory (�폜�����܂�) processing described in (�폜) Processing Rules: (�폜�����܂�) (�NjL) section 4.4 (�NjL�����܂�) Decryption (�폜) (section 4.2). (�폜�����܂�) . If the EncryptedData element contains data of Type 'element' or element 'content', and replaces that data in an XML document context, (�NjL) or contains data of (�NjL�����܂�)(�NjL) Type (�NjL�����܂�)(�NjL) 'EXI', (�NjL�����܂�) it is strongly recommended the Type attribute be provided. Without this information, the decryptor will be unable to automatically restore the XML document to its original cleartext form.

MimeType is an optional (advisory) attribute which describes the media type of the data which has been encrypted. The value of this attribute is a string with values defined by [ (�폜) MIME (�폜�����܂�) (�NjL) RFC2045 (�NjL�����܂�) ]. For example, if the data that is encrypted is a base64 encoded PNG, the transfer Encoding may be specified as ' http://www.w3.org/2000/09/xmldsig#base64 ' and the MimeType as 'image/png'. This attribute is purely advisory; no validation of the MimeType information is required and it does not indicate the encryption application must do any additional processing. Note, this information may not be necessary if it is already bound to the identifier in the Type attribute. For example, the Element and Content types defined in this specification are always UTF-8 encoded text. (�NjL) In the case of Type EXI the MimeType attribute is not necessary, but if used should reflect the underlying type and not "EXI". (�NjL�����܂�)

(�NjL) Encoding (�NjL�����܂�)(�NjL) is an optional (advisory) attribute which describes the transfer encoding of the data that has been encrypted. (�NjL�����܂�)

3.2 The EncryptionMethod Element

EncryptionMethod is an optional element that describes the encryption algorithm applied to the cipher data. If the element is absent, the encryption algorithm must be known (�폜) by (�폜�����܂�) (�NjL) to (�NjL�����܂�) the recipient or the decryption will fail.

The permitted child elements of the EncryptionMethod are determined by the specific value of the Algorithm attribute URI, and the KeySize child element is always permitted. For example, the RSA-OAEP algorithm (�NjL) ( (�NjL�����܂�)(�NjL) section 5.5.2 RSA-OAEP (�NjL�����܂�) (�폜) (section 5.4.2) (�폜�����܂�) (�NjL) ) (�NjL�����܂�) uses the ds:DigestMethod and OAEPparams (�폜) elements. (�폜�����܂�) (�NjL) elements, and may use the (�NjL�����܂�)(�NjL) xenc11:MGF (�NjL�����܂�)(�NjL) element when needed. (�NjL�����܂�) (We rely upon the ANY schema construct because it is not possible to specify element content based on the value of an attribute.)

The presence of any child element under EncryptionMethod (�폜) which (�폜�����܂�) (�NjL) that (�NjL�����܂�) is not permitted by the algorithm or the presence of a KeySize child inconsistent with the algorithm (�폜) MUST (�폜�����܂�) (�NjL) must (�NjL�����܂�) be treated as an error. (All algorithm URIs specified in this document imply a key size but this is not true in general. Most popular stream cipher algorithms take variable size keys.)

3.3 The CipherData Element

The CipherData is a mandatory element that provides the encrypted data. It must either contain the encrypted octet sequence as base64 encoded text (�NjL) as element content (�NjL�����܂�) of the CipherValue element, or provide a reference to an external location containing the encrypted octet sequence via the CipherReference element.

(�폜) <complexType name='TransformsType'> <sequence> <element ref='ds:Transform' maxOccurs='unbounded'/> </sequence> </complexType> (�폜�����܂�) 3.4 The EncryptedData Element

The EncryptedData element is the core element in the syntax. Not only does its CipherData child contain the encrypted data, but it's also the element that replaces the encrypted element, or (�NjL) element content, or (�NjL�����܂�) serves as the new document root.

3.5 Extensions to ds:KeyInfo Element

There are three ways that the keying material needed to decrypt CipherData can be provided:

1. The EncryptedData or EncryptedKey element specify the associated keying material via a child of ds:KeyInfo . All of the child elements of ds: KeyInfo specified in [ (�폜) XML-DSIG (�폜�����܂�) (�NjL) XMLDSIG-CORE1 (�NjL�����܂�) ] (�폜) MAY (�폜�����܂�) (�NjL) may (�NjL�����܂�) be used as qualified:
   1. Support for ds:KeyValue is (�폜) OPTIONAL (�폜�����܂�) (�NjL) optional (�NjL�����܂�) and may be used to transport public keys, such as (�NjL) Diffie-Hellman Key Values ( (�NjL�����܂�)(�NjL) section 5.6.1 (�NjL�����܂�) Diffie-Hellman Key Values (�폜) (section 5.5.1). (�폜�����܂�) (�NjL) ). (�NjL�����܂�) (Including the plaintext decryption key, whether a private key or a secret key, is obviously (�폜) NOT RECOMMENDED.) (�폜�����܂�) (�NjL) not recommended (�NjL�����܂�).)
   2. Support of ds:KeyName to refer to an EncryptedKey CarriedKeyName is (�폜) RECOMMENDED. (�폜�����܂�) (�NjL) recommended (�NjL�����܂�).
   3. Support for same document ds:RetrievalMethod is (�폜) REQUIRED. (�폜�����܂�) (�NjL) required (�NjL�����܂�).

   In addition, we provide two additional child elements: applications (�폜) MUST (�폜�����܂�) (�NjL) must (�NjL�����܂�) support EncryptedKey (�폜) (section 3.5.1) (�폜�����܂�) (�NjL) ( (�NjL�����܂�)(�NjL) section 3.5.1 The EncryptedKey Element (�NjL�����܂�) (�NjL) ) (�NjL�����܂�) and (�폜) MAY (�폜�����܂�) (�NjL) may (�NjL�����܂�) support AgreementMethod (�폜) (section 5.5). (�폜�����܂�) (�NjL) ( (�NjL�����܂�)(�NjL) section 5.6 Key Agreement (�NjL�����܂�) (�NjL) ). (�NjL�����܂�)

2. A detached (not inside ds:KeyInfo ) EncryptedKey element can specify the EncryptedData or EncryptedKey to which its decrypted key will apply via a DataReference or KeyReference (�NjL) ( (�NjL�����܂�)(�NjL) section 3.6 The ReferenceList Element (�NjL�����܂�) (�폜) (section 3.6). (�폜�����܂�) (�NjL) ). (�NjL�����܂�)
3. The keying material can be determined by the recipient by application context and thus need not be explicitly mentioned in the transmitted XML.

3.6 The ReferenceList Element

ReferenceList is an element that contains pointers from a key value of an EncryptedKey (�NjL) or (�NjL�����܂�)(�NjL) DerivedKey (�NjL�����܂�) to items encrypted by that key value ( EncryptedData or EncryptedKey elements).

DataReference elements are used to refer to EncryptedData elements that were encrypted using the key defined in the enclosing EncryptedKey (�NjL) or (�NjL�����܂�)(�NjL) DerivedKey (�NjL�����܂�) element. Multiple DataReference elements can occur if multiple EncryptedData elements exist that are encrypted by the same key.

KeyReference elements are used to refer to EncryptedKey elements that were encrypted using the key defined in the enclosing EncryptedKey (�NjL) or (�NjL�����܂�)(�NjL) DerivedKey (�NjL�����܂�) element. Multiple KeyReference elements can occur if multiple EncryptedKey elements exist that are encrypted by the same key.

For both types of references one may optionally specify child elements to aid the recipient in retrieving the EncryptedKey and/or EncryptedData elements. These could include information such as XPath transforms, decompression transforms, or information on how to retrieve the elements from a document storage facility. For example:

3.7 The EncryptionProperties Element

Identifier

Type="http://www.w3.org/2001/04/xmlenc#EncryptionProperties"

(This can be used within a ds:Reference element to identify the referent's type.)

Additional information items concerning the generation of the EncryptedData or EncryptedKey can be placed in an EncryptionProperty element (e.g., date/time stamp or the serial number of cryptographic hardware used during encryption). The Target attribute identifies the EncryptedType structure being described. anyAttribute permits the inclusion of attributes from the XML namespace to be included (i.e., xml:space , xml:lang , and xml:base ).

4.1 (�NjL) Intended Application Model (�NjL�����܂�)

(�NjL) The processing rules for XML Encryption are designed around an intended application model that this version of the specification does not cover normatively. (�NjL�����܂�)

(�NjL) In the intended processing model, XML Encryption is used to encrypt an octet-stream, an EXI stream, or a fragment of an XML document that matches either the (�NjL�����܂�)(�NjL) content (�NjL�����܂�)(�NjL) or (�NjL�����܂�)(�NjL) element (�NjL�����܂�)(�NjL) production from [ (�NjL�����܂�)(�NjL) XML10 (�NjL�����܂�) (�NjL) ]. (�NjL�����܂�)

(�NjL) If XML Encryption is used with some octet-stream, the precise encoding and meaning of that octet-stream is up to the application, but treated as opaque by the Encryptor or Decryptor. The application may use the (�NjL�����܂�)(�NjL) Type (�NjL�����܂�),(�NjL) Encoding (�NjL�����܂�)(�NjL) and (�NjL�����܂�)(�NjL) MimeType (�NjL�����܂�)(�NjL) parameters to transport further information about the nature of that octet-stream. Hence, an unknown (�NjL�����܂�)(�NjL) Type (�NjL�����܂�)(�NjL) parameter is, in general, not treated as an error by either the Encryptor or Decryptor, but instead simply passed through, along with the other relevant parameters and the cleartext octet-stream. (�NjL�����܂�)

(�NjL) If XML Encryption is used with an XML (�NjL�����܂�)(�NjL) element (�NjL�����܂�)(�NjL) or XML (�NjL�����܂�)(�NjL) content (�NjL�����܂�),(�NjL) then Encryptors and Decryptors commonly perform type-specific processing: (�NjL�����܂�)

• (�NjL) If an (�NjL�����܂�)(�NjL) element (�NjL�����܂�)(�NjL) is encrypted, then the Encryptor will replace the element in question with an appropriately constructed (�NjL�����܂�)(�NjL) EncryptedData (�NjL�����܂�)(�NjL) element. The Decryptor will, conversely, replace the (�NjL�����܂�)(�NjL) EncryptedData (�NjL�����܂�)(�NjL) element with its cleartext. (�NjL�����܂�)
• (�NjL) If XML (�NjL�����܂�)(�NjL) content (�NjL�����܂�)(�NjL) is encrypted, then the Encryptor will likewise replace this content with an appropriately constructed (�NjL�����܂�)(�NjL) EncryptedData (�NjL�����܂�)(�NjL) element, and the Decryptor will reverse this operation. (�NjL�����܂�)

(�NjL) Note that the intended Encryptor behavior will often cause the document with encrypted parts to become invalid with respect to its schema for the hosting XML format, unless that format is specifically prepared to be used with XML Encryption. An Encryptor or Decryptor that implements the intended processing model is (�NjL�����܂�)(�NjL) not required (�NjL�����܂�)(�NjL) to ensure that the resulting XML is schema-valid for the hosting XML format. (�NjL�����܂�)

(�NjL) If XML processing is handled inside the Encryptor and Decryptor, and the (�NjL�����܂�)(�NjL) Type (�NjL�����܂�)(�NjL) attribute values for (�NjL�����܂�)(�NjL) element (�NjL�����܂�)(�NjL) and (�NjL�����܂�)(�NjL) content (�NjL�����܂�)(�NjL) cleartext are used, then the Encryptor and Decryptor (�NjL�����܂�)(�NjL) must (�NjL�����܂�)(�NjL) ensure that the XML cleartext is serialized as UTF-8 before encryption, and -- if needed -- converted back to whatever other encoding might be used by the surrounding XML context. (�NjL�����܂�)

(�NjL) If XML (�NjL�����܂�) Encryption (�NjL) is used with an EXI stream [ (�NjL�����܂�)(�NjL) EXI (�NjL�����܂�) (�NjL) ], then Encryptors and Decryptors process content as for XML element or XML content processing, but taking into account EXI serialization. In particular, the encryptor will replace the XML element or XML fragment in question with an appropriately constructed EncryptedData element. The Decryptor will conversely replace the EncryptedData element with its cleartext XML element or XML fragment. Note that the XML document into which the EncryptedData element is embedded may be encoded using EXI and/or EXI may be used to encode the cleartext before encryption. (�NjL�����܂�)

(�NjL) 4.2 (�NjL�����܂�)(�NjL) Well-known (�NjL�����܂�)(�NjL) Type (�NjL�����܂�)(�NjL) parameter values (�NjL�����܂�)

For (�NjL) interoperability purposes, the following types (�NjL�����܂�)(�NjL) must (�NjL�����܂�)(�NjL) be implemented such that an implementation will be able to take as input and yield as output data matching the production rules 39 and 43 from [ (�NjL�����܂�)(�NjL) XML10 (�NjL�����܂�) (�NjL) ]: (�NjL�����܂�)

(�NjL) element (�NjL�����܂�) (�NjL) ' (�NjL�����܂�)(�NjL) http://www.w3.org/2001/04/xmlenc#Element (�NjL�����܂�) (�NjL) ' (�NjL�����܂�)

(�NjL) "[39] (�NjL�����܂�)(�NjL) element (�NjL�����܂�) (�NjL) ::= (�NjL�����܂�)(�NjL) EmptyElemTag (�NjL�����܂�) (�NjL) | (�NjL�����܂�)(�NjL) STag (�NjL�����܂�) (�NjL) content (�NjL�����܂�) (�NjL) ETag (�NjL�����܂�) (�NjL) " (�NjL�����܂�)

(�NjL) content (�NjL�����܂�) (�NjL) ' (�NjL�����܂�)(�NjL) http://www.w3.org/2001/04/xmlenc#Content (�NjL�����܂�) (�NjL) ' (�NjL�����܂�)

(�NjL) "[43] (�NjL�����܂�)(�NjL) content (�NjL�����܂�) (�NjL) ::= (�NjL�����܂�)(�NjL) CharData (�NjL�����܂�) (�NjL) ? (( (�NjL�����܂�)(�NjL) element (�NjL�����܂�) (�NjL) | (�NjL�����܂�)(�NjL) Reference (�NjL�����܂�) (�NjL) | (�NjL�����܂�)(�NjL) CDSect (�NjL�����܂�) (�NjL) | (�NjL�����܂�)(�NjL) PI (�NjL�����܂�) (�NjL) | (�NjL�����܂�)(�NjL) Comment (�NjL�����܂�) (�NjL) ) (�NjL�����܂�)(�NjL) CharData (�NjL�����܂�) (�NjL) ?)*" (�NjL�����܂�)

(�NjL) Support for the following type is (�NjL�����܂�)(�NjL) optional (�NjL�����܂�)(�NjL) for Encryptors and Decryptors: (�NjL�����܂�)

(�NjL) http://www.w3.org/2009/xmlenc11#EXI (�NjL�����܂�)

(�NjL) Presence of this (�NjL�����܂�)(�NjL) Type (�NjL�����܂�)(�NjL) indicates that the cleartext is an EXI stream [ (�NjL�����܂�)(�NjL) EXI (�NjL�����܂�) (�NjL) ]. Encryptors and Decryptors that support this type (�NjL�����܂�)(�NjL) may (�NjL�����܂�)(�NjL) operate directly on (parts of) EXI streams. (�NjL�����܂�)

(�NjL) Encryptors and Decryptors (�NjL�����܂�)(�NjL) should (�NjL�����܂�)(�NjL) handle unknown or empty (�NjL�����܂�)(�NjL) Type (�NjL�����܂�)(�NjL) attribute values as a signal that the cleartext is to be handled as an opaque octet-stream, whose specific processing is up to the invoking application. In this case, the (�NjL�����܂�)(�NjL) Type (�NjL�����܂�),(�NjL) MimeType (�NjL�����܂�)(�NjL) and (�NjL�����܂�)(�NjL) Encoding (�NjL�����܂�)(�NjL) parameters (�NjL�����܂�)(�NjL) should (�NjL�����܂�)(�NjL) be treated as opaque data whose appropriate processing is up to the application. (�NjL�����܂�)

(�NjL) 4.3 (�NjL�����܂�)(�NjL) Encryption (�NjL�����܂�)

(�NjL) The selection of the algorithm, parameters, and encryption keys is out of scope for this specification. (�NjL�����܂�)

(�NjL) The cleartext data are assumed to be present as an octet stream. If the cleartext is of type (�NjL�����܂�)(�NjL) element (�NjL�����܂�)(�NjL) or (�NjL�����܂�)(�NjL) content (�NjL�����܂�),(�NjL) the data (�NjL�����܂�)(�NjL) must (�NjL�����܂�)(�NjL) be serialized in UTF-8 as specified in [ (�NjL�����܂�)(�NjL) XML10 (�NjL�����܂�) (�NjL) ], using Normal Form C [ (�NjL�����܂�)(�NjL) NFC (�NjL�����܂�) (�NjL) ]. (�NjL�����܂�)

(�NjL) For (�NjL�����܂�) each data item to be encrypted as an EncryptedData or EncryptedKey (�폜) (elements derived from EncryptedType ), (�폜�����܂�) (�NjL) element, (�NjL�����܂�) the encryptor (�폜) must: (�폜�����܂�) (�NjL) must (�NjL�����܂�):

1. (�폜) Select the algorithm (and parameters) to be used in encrypting this data. (�폜�����܂�) Obtain (�NjL) (or derive) (�NjL�����܂�) and (optionally) represent the key.

   1. If the key is to be identified (via naming, URI, or included in a child element), construct the ds:KeyInfo as (�폜) approriate (�폜�����܂�) (�NjL) appropriate (�NjL�����܂�) (e.g., ds:KeyName , ds:KeyValue , ds:RetrievalMethod , etc.)

   2. If the key itself is to be encrypted, construct an EncryptedKey element by recursively applying this encryption process. The result may then be a child of ds:KeyInfo , or it may exist elsewhere and may be identified in the preceding step.

   3. (�폜) Encrypt the data (�폜�����܂�)

      If the (�폜) data is an ' element ' [ XML , section 3] or (�폜�����܂�) (�NjL) key was derived from a master key, construct a (�NjL�����܂�)(�NjL) DerivedKey (�NjL�����܂�) element (�폜) ' content ' [ XML , section 3.1], obtain the octets by serializing the data in UTF-8 (�폜�����܂�) (�NjL) with associated child elements. The result may, (�NjL�����܂�) as (�폜) specified (�폜�����܂�) in (�폜) [ XML ]. (The application MUST provide XML data in [ NFC ].) Serialization MAY be done by the encryptor . If the encryptor does not serialize, then the application MUST perform (�폜�����܂�) the (�폜) serialization. If the data is (�폜�����܂�) (�NjL) EncryptedKey (�NjL�����܂�)(�NjL) case, be a child (�NjL�����܂�) of (�폜) any other type that is not already octets, the application MUST serialize (�폜�����܂�) (�NjL) ds:KeyInfo (�NjL�����܂�),(�NjL) or (�NjL�����܂�) it (�폜) as octets. (�폜�����܂�) (�NjL) may exist elsewhere. (�NjL�����܂�)

2. (�NjL) Encrypt the data: (�NjL�����܂�)

   1. Encrypt the octets using the algorithm and (�폜) key from steps 1 and 2. (�폜�����܂�) (�NjL) key. (�NjL�����܂�)

   2. Unless the decryptor will implicitly know the type of the encrypted data, the encryptor (�폜) SHOULD provide (�폜�����܂�) (�NjL) should (�NjL�����܂�)(�NjL) set (�NjL�����܂�) the (�폜) type for representation. The definition of this type as bound to an identifier specifies how (�폜�����܂�) (�NjL) Type (�NjL�����܂�) to (�폜) obtain and interpret the plaintext octets after decryption. For example, the idenifier could (�폜�����܂�) indicate (�폜) that (�폜�����܂�) the (�폜) data is an instance (�폜�����܂�) (�NjL) intended interpretation (�NjL�����܂�) of (�폜) another application (e.g., some XML compression application) that must be further processed. Or, if (�폜�����܂�) (�NjL) the cleartext data. See (�NjL�����܂�)(�NjL) section 4.2 Well-known Type parameter values (�NjL�����܂�) (�NjL) for known parameter values. (�NjL�����܂�)

      (�NjL) If (�NjL�����܂�) the data is a simple octet sequence it (�폜) MAY (�폜�����܂�) (�NjL) may (�NjL�����܂�) be described with the MimeType and Encoding attributes. For example, the data might be an XML document ( MimeType="text/xml" ), sequence of characters ( MimeType="text/plain" ), or binary image data ( MimeType="image/png ").

3. Build the (�폜) EncryptedType ( (�폜�����܂�) EncryptedData or EncryptedKey (�폜) ) (�폜�����܂�) structure:

   An (�폜) EncryptedType (�폜�����܂�) (�NjL) EncryptedData (�NjL�����܂�)(�NjL) or (�NjL�����܂�)(�NjL) EncryptedKey (�NjL�����܂�) structure represents all of the information previously discussed including the type of the encrypted data, encryption algorithm, parameters, key, type of the encrypted data, etc.

   1. If the encrypted octet sequence obtained in step (�폜) 3 (�폜�����܂�) (�NjL) 2 (�NjL�����܂�) is to be stored in the CipherData element within the (�폜) EncryptedType , (�폜�����܂�) (�NjL) EncryptedData (�NjL�����܂�)(�NjL) or (�NjL�����܂�)(�NjL) EncryptedKey (�NjL�����܂�)(�NjL) element, (�NjL�����܂�) then the (�NjL) base64 representation of the (�NjL�����܂�) encrypted octet sequence is (�폜) base64 encoded and (�폜�����܂�) inserted as the content of a CipherValue element.

   2. If the encrypted octet sequence is (�폜) to be (�폜�����܂�) stored externally to the (�폜) EncryptedType (�폜�����܂�) (�NjL) EncryptedData (�NjL�����܂�) (�폜) structure, then store (�폜�����܂�) or (�폜) return the encrypted octet sequence, and represent (�폜�����܂�) (�NjL) EncryptedKey (�NjL�����܂�)(�NjL) element, then (�NjL�����܂�) the URI and transforms (if any) required for the (�폜) decryptor (�폜�����܂�) (�NjL) Decryptor (�NjL�����܂�) to retrieve the encrypted octet sequence (�NjL) are described (�NjL�����܂�) within a CipherReference element. (�폜) Process EncryptedData If the Type of the encrypted data is ' element ' or element ' content ', then the encryptor MUST be able to return the EncryptedData element to the application . The application MAY use this as the top-level element in a new XML document or insert it into another XML document, which may require a re-encoding. The encryptor SHOULD be able to replace the unencrypted 'element' or 'content' with the EncryptedData element. When an application requires an XML element or content to be replaced, it supplies the XML document context in addition to identifying the element or content to be replaced. The encryptor removes the identified element or content and inserts the EncryptedData element in its place. (�폜�����܂�)

      (�폜) (Note: If the Type is "content" the document resulting from decryption will not be well-formed if (a) the original plaintext was not well-formed (e.g., PCDATA by itself is not well-formed) and (b) the EncryptedData element was previously the root element of the document) If the Type of the encrypted data is not ' element ' or element ' content ', then the encryptor MUST always return the EncryptedData element to the application . The application MAY use this as the top-level element in a new XML document or insert it into another XML document, which may require a re-encoding. (�폜�����܂�)

(�폜) 4.2 (�폜�����܂�) (�NjL) 4.4 (�NjL�����܂�) Decryption

For each (�폜) EncryptedType derived element, (i.e., (�폜�����܂�) EncryptedData or EncryptedKey (�폜) ), (�폜�����܂�) to be decrypted, the decryptor (�폜) must: (�폜�����܂�) (�NjL) must (�NjL�����܂�):

1. (�폜) Process the element to determine (�폜�����܂�) (�NjL) Determine (�NjL�����܂�) the algorithm, parameters and (�폜) ds:KeyInfo element (�폜�����܂�) (�NjL) key information (�NjL�����܂�) to be used. (�폜) If some (�폜�����܂�) (�NjL) This (�NjL�����܂�) information (�폜) is omitted, the application MUST supply it. Locate the data encryption key (�폜�����܂�) (�NjL) may be obtained out-of-band, or determined (�NjL�����܂�) according to (�폜) the (�폜�����܂�) (�NjL) a (�NjL�����܂�) ds:KeyInfo (�폜) element, which may contain one or more children elements. These children have no implied processing order. If the data encryption key is encrypted, locate the corresponding key (�폜�����܂�) (�NjL) element; see (�NjL�����܂�)(�NjL) section 3.5 Extensions (�NjL�����܂�) to (�폜) decrypt it. (This may be a recursive step as the key-encryption key may itself be encrypted.) Or, one might retrieve the data encryption key from a local store using the provided attributes or implicit binding. (�폜�����܂�) (�NjL) ds:KeyInfo Element (�NjL�����܂�).

2. Decrypt the data contained in the CipherData element.

   1. If a CipherValue child element is present, then the associated text value is retrieved and base64 decoded so as to obtain the encrypted octet sequence.

   2. If a CipherReference child element is present, the URI and transforms (if any) are used to retrieve the encrypted octet sequence.

   3. The encrypted octet sequence is decrypted using the (�폜) algorithm/parameters (�폜�����܂�) (�NjL) algorithm, parameters (�NjL�����܂�) and key value already determined from (�폜) steps 1 and 2. Process decrypted data of Type ' element ' or element ' content '. The cleartext octet sequence obtained in (�폜�����܂�) step (�폜) 3 is interpreted as UTF-8 encoded character data. The decryptor MUST be able to return the value of Type and the UTF-8 encoded XML character data. The decryptor is NOT REQUIRED to perform validation on the serialized XML. The decryptor SHOULD support the ability to replace the EncryptedData element with the decrypted ' element ' or element ' content ' represented by the UTF-8 encoded characters. The decryptor is NOT REQUIRED to perform validation on the result of this replacement operation. The application supplies the XML document context and identifies the EncryptedData element being replaced. If the document into which the replacement is occurring is not UTF-8, the decryptor MUST transcode the UTF-8 encoded characters into the target encoding. (�폜�����܂�) (�NjL) 1. (�NjL�����܂�)

      (�폜) Process decrypted data if Type is unspecified or is not ' element ' or element ' content '. The cleartext octet sequence obtained in Step 3 MUST be returned to the application for further processing along with the Type , MimeType , and Encoding attribute values when specified. MimeType and Encoding are advisory. The Type value is normative as it may contain information necessary for the processing or interpration of the data by the application. Note, this step includes processing data decrypted from an EncryptedKey . The cleartext octet sequence represents a key value and is used by the application in decrypting other EncryptedType element(s). (�폜�����܂�)

(�폜) 4.3 (�폜�����܂�) (�NjL) 4.5 (�NjL�����܂�) XML Encryption

Encryption and decryption operations are (�폜) transforms (�폜�����܂�) (�NjL) operations (�NjL�����܂�) on octets. The application is responsible for the marshalling XML such that it can be serialized into an octet sequence, encrypted, decrypted, and be of use to the recipient.

For example, if the application wishes to canonicalize its data or encode/compress the data in an XML packaging format, the application needs to marshal the XML accordingly and identify the resulting type via the EncryptedData Type attribute. The likelihood of successful decryption and subsequent processing will be dependent on the recipient's support for the given type. Also, if the data is intended to be processed both before encryption and after decryption (e.g., XML Signature [ (�폜) XML-DSIG (�폜�����܂�) (�NjL) XMLDSIG-CORE1 (�NjL�����܂�) ] validation or an XSLT transform) the encrypting application must be careful to preserve information necessary for that process's success.

(�폜) For interoperability purposes, the following types MUST be implemented such that an implementation will be able to take as input and yield as output data matching the production rules 39 and 43 from [ XML ]: element ' http://www.w3.org/2001/04/xmlenc#Element ' "[39] element ::= EmptyElemTag | STag content ETag " content ' http://www.w3.org/2001/04/xmlenc#Content ' "[43] content ::= CharData ? (( element | Reference | CDSect | PI | Comment ) CharData ?)*" (�폜�����܂�) The following sections contain specifications for decrypting, replacing, and serializing XML content (i.e., Type ' element ' or element ' content ') using the [ (�폜) XPath (�폜�����܂�) (�NjL) XPATH (�NjL�����܂�) ] data model. These sections are non-normative and (�폜) OPTIONAL (�폜�����܂�) (�NjL) optional (�NjL�����܂�) to (�폜) implementors (�폜�����܂�) (�NjL) implementers (�NjL�����܂�) of this specification, but they may be normatively referenced by and (�폜) MANDATORY to (�폜�����܂�) (�NjL) be required by (�NjL�����܂�) other specifications that require a consistent processing for applications, such as [ (�폜) XML-DSIG-Decrypt (�폜�����܂�) (�NjL) XMLENC-DECRYPT (�NjL�����܂�) ].

<ToBeEncrypted
xmlns=""></ToBeEncrypted>

5.1 Algorithm Identifiers and Implementation Requirements

All algorithms listed below have implicit parameters depending on their role. For example, the data to be encrypted or decrypted, keying material, and direction of operation (encrypting or decrypting) for encryption algorithms. Any explicit additional parameters to an algorithm appear as content elements within the element. Such parameter child elements have descriptive element names, which are frequently algorithm specific, and (�폜) SHOULD (�폜�����܂�) (�NjL) should (�NjL�����܂�) be in the same namespace as this XML Encryption specification, the XML Signature specification, or in an algorithm specific namespace. An example of such an explicit parameter could be a nonce (unique quantity) provided to a key agreement algorithm.

This specification defines a set of algorithms, their URIs, and requirements for implementation. Levels of requirement specified, such as (�폜) "REQUIRED" (�폜�����܂�) (�NjL) " (�NjL�����܂�)(�NjL) required (�NjL�����܂�)(�NjL) " (�NjL�����܂�) or (�폜) "OPTIONAL", refere (�폜�����܂�) (�NjL) " (�NjL�����܂�)(�NjL) optional (�NjL�����܂�)(�NjL) ", refer (�NjL�����܂�) to implementation, not use. Furthermore, the mechanism is extensible, and alternative algorithms may be used.

5.2 Block Encryption Algorithms

Block encryption algorithms are designed for encrypting and decrypting data in fixed size, multiple octet blocks. Their identifiers appear as the value of the Algorithm attributes of EncryptionMethod elements that are children of EncryptedData .

(�NjL) Note (�NjL�����܂�):(�NjL) CBC block encryption algorithms should not be used without consideration of (�NjL�����܂�)(�NjL) possibly severe security risks (�NjL�����܂�).

Block encryption algorithms take, as implicit arguments, the data to be encrypted or decrypted, the keying material, and their direction of operation. For all of these algorithms specified below, an initialization vector (IV) is required that is encoded with the cipher text. For user specified block encryption algorithms, the IV, if any, could be specified as being with the cipher data, as an algorithm content element, or elsewhere.

The IV is encoded with and before the cipher text for the algorithms below for ease of availability to the decryption code and to emphasize its association with the cipher text. Good cryptographic practice requires that a different IV be used for every encryption.

5.3 Stream Encryption Algorithms

Simple stream encryption algorithms generate, based on the key, a stream of bytes which are XORed with the plain text data bytes to produce the cipher text on encryption and with the cipher text bytes to produce plain text on decryption. They are normally used for the encryption of data and are specified by the value of the Algorithm attribute of the EncryptionMethod child of an EncryptedData element.

NOTE: It is critical that each simple stream encryption key (or key and initialization vector (IV) if an IV is also used) be used once only. If the same key (or key and IV) is ever used on two messages then, by XORing the two cipher texts, you can obtain the XOR of the two plain texts. This is usually very compromising.

No specific stream encryption algorithms are specified herein but this section is included to provide general guidelines.

Stream algorithms typically use the optional KeySize explicit parameter. In cases where the key size is not apparent from the algorithm URI or key source, as in the use of key agreement methods, this parameter sets the key size. If the size of the key to be used is apparent and disagrees with the KeySize parameter, an error (�폜) MUST (�폜�����܂�) (�NjL) must (�NjL�����܂�) be returned. Implementation of any stream algorithms is optional. The schema for the KeySize parameter is as follows:

5.4 Key (�폜) Transport (�폜�����܂�) (�NjL) Derivation (�NjL�����܂�)

(�NjL) Key derivation is a well-established mechanism for generating new cryptographic key material from some existing, original ("master") key material and potentially other information. Derived keys are used for a variety of purposes including data encryption and message authentication. The reason for doing key derivation itself is typically a combination of a desire to expand a given, but limited, set of original key material and prudent security practices of limiting use (exposure) of such key material. Key separation (such as avoiding use of the same key material for multiple purposes) is an example of such practices. (�NjL�����܂�)

(�NjL) The key derivation process may be based on passphrases agreed upon or remembered by users, or it can be based on some shared "master" cryptographic keys (and be intended to reduce exposure of such master keys), etc. Derived keys themselves may be used in XML Signature and XML Encryption as any other keys; in particular, they may be used to compute message authentication codes (e.g. digital signatures using symmetric keys) or for encryption/decryption purposes. (�NjL�����܂�)

(�NjL) 5.5 (�NjL�����܂�)(�NjL) Key Transport (�NjL�����܂�)

Key Transport algorithms are public key encryption algorithms especially specified for encrypting and decrypting keys. Their identifiers appear as Algorithm attributes to EncryptionMethod elements that are children of EncryptedKey . EncryptedKey is in turn the child of a ds:KeyInfo element. The type of key being transported, that is to say the algorithm in which it is planned to use the transported key, is given by the Algorithm attribute of the EncryptionMethod child of the EncryptedData or EncryptedKey parent of this ds:KeyInfo element.

(Key Transport algorithms may optionally be used to encrypt data in which case they appear directly as the Algorithm attribute of an EncryptionMethod child of an EncryptedData element. Because they use public key algorithms directly, Key Transport algorithms are not efficient for the transport of any amounts of data significantly larger than symmetric keys.)

CRYPT


(


PAD


(


KEY


))

02



|
(�폜) PS*
 (�폜�����܂�)


(�NjL) PS
 (�NjL�����܂�)(�NjL) 
*
 (�NjL�����܂�)
|



00



|


key

<EncryptionMethodAlgorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><OAEPparams>9lWu3Q==</OAEPparams><ds:DigestMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<EncryptionMethod>

(�폜) 5.5 (�폜�����܂�) (�NjL) 5.6 (�NjL�����܂�) Key Agreement

A Key Agreement algorithm provides for the derivation of a shared secret key based on a shared secret computed from certain types of compatible public keys from both the sender and the recipient. Information from the originator to determine the secret is indicated by an optional OriginatorKeyInfo parameter child of an AgreementMethod element while that associated with the recipient is indicated by an optional RecipientKeyInfo . A shared key is derived from this shared secret by a method determined by the Key Agreement algorithm.

Note: XML Encryption does not provide an (�폜) on-line (�폜�����܂�) (�NjL) online (�NjL�����܂�) key agreement negotiation protocol. The AgreementMethod element can be used by the originator to identify the keys and computational procedure that were used to obtain a shared encryption key. The method used to obtain or select the keys or algorithm used for the agreement computation is beyond the scope of this specification.

The AgreementMethod element appears as the content of a ds:KeyInfo since, like other ds:KeyInfo children, it yields a key. This ds:KeyInfo is in turn a child of an EncryptedData or EncryptedKey element. The Algorithm attribute and KeySize child of the EncryptionMethod element under this EncryptedData or EncryptedKey element are implicit parameters to the key agreement computation. In cases where this EncryptionMethod algorithm URI is insufficient to determine the key length, a KeySize (�폜) MUST (�폜�����܂�) (�NjL) must (�NjL�����܂�) have been included.

(�NjL) Key derivation algorithms (with associated parameters) may be explicitly declared by using the (�NjL�����܂�)(�NjL) xenc11:KeyDerivationMethod (�NjL�����܂�)(�NjL) element. This element will then be placed at the extensibility point of the (�NjL�����܂�)(�NjL) xenc:AgreementMethodType (�NjL�����܂�)(�NjL) (see below). (�NjL�����܂�)

In addition, the sender may place a KA-Nonce element under AgreementMethod to assure that different keying material is generated even for repeated agreements using the same sender and recipient public keys. For example:

If the agreed key is being used to wrap a key, rather than data as above, then AgreementMethod would appear inside a ds:KeyInfo inside an EncryptedKey element.

The Schema for AgreementMethod is as follows:

Keying



Material



=
(�폜) KM(1)
 (�폜�����܂�)


(�NjL) KM
 (�NjL�����܂�)(�NjL) 
(
 (�NjL�����܂�)(�NjL) 
1
 (�NjL�����܂�)(�NjL) 
)
 (�NjL�����܂�)
|
(�폜) KM(2)
 (�폜�����܂�)


(�NjL) KM
 (�NjL�����܂�)(�NjL) 
(
 (�NjL�����܂�)(�NjL) 
2
 (�NjL�����܂�)(�NjL) 
)
 (�NjL�����܂�)
|
(�폜) ...
 (�폜�����܂�)


...

KM(counter)=DigestAlg( ZZ | counter |EncryptionAlg|
(�NjL) KA
 (�NjL�����܂�)(�NjL) 
-
 (�NjL�����܂�)(�NjL) 
Nonce
 (�NjL�����܂�)
|



KeySize



)

(�NjL) 
SHA
 (�NjL�����܂�)(�NjL) 
-
 (�NjL�����܂�)(�NjL) 
1
 (�NjL�����܂�)
(
(�폜) ZZ01Example:Block/Algfoo80
 (�폜�����܂�)


(�NjL) ZZ01Example
 (�NjL�����܂�):(�NjL) 
Block
 (�NjL�����܂�)(�NjL) 
/
 (�NjL�����܂�)(�NjL) 
Algfoo80
 (�NjL�����܂�)
)

(�NjL) 
SHA
 (�NjL�����܂�)(�NjL) 
-
 (�NjL�����܂�)(�NjL) 
1
 (�NjL�����܂�)(�NjL) 
(
 (�NjL�����܂�)
0xDEADBEEF30314578616D706C653A426C6F636B2F416C67666F6F3830



)

0x534C9B8C4ABDCB50038B42015A181711068B08C1

(�폜) 5.6 (�폜�����܂�) (�NjL) 5.7 (�NjL�����܂�) Symmetric Key Wrap

Symmetric Key Wrap algorithms are shared secret key encryption algorithms especially specified for encrypting and decrypting symmetric keys. (�폜) Their identifiers appear as Algorithm attribute values to EncryptionMethod elements that (�폜�����܂�) (�NjL) When wrapped keys (�NjL�����܂�) are (�폜) children of (�폜�����܂�) (�NjL) used, then an (�NjL�����܂�) EncryptedKey (�폜) which is in turn (�폜�����܂�) (�NjL) element will appear as (�NjL�����܂�) a child of (�폜) ds:KeyInfo which is in turn (�폜�����܂�) a (�폜) child of (�폜�����܂�) (�폜) EncryptedData (�폜�����܂�) (�NjL) ds:KeyInfo (�NjL�����܂�) (�폜) or another (�폜�����܂�) (�NjL) element. This (�NjL�����܂�) EncryptedKey (�폜) . The type of the key being wrapped is indicated by the Algorithm (�폜�����܂�) (�폜) attribute of (�폜�����܂�) (�NjL) element will have an (�NjL�����܂�) EncryptionMethod child (�폜) of the parent of the ds:KeyInfo grandparent of the (�폜�����܂�) (�NjL) whose (�NjL�����܂�) (�폜) EncryptionMethod (�폜�����܂�) (�NjL) Algorithm (�NjL�����܂�) (�폜) specifying (�폜�����܂�) (�NjL) attribute in turn identifies (�NjL�����܂�) the (�폜) symmetric (�폜�����܂�) key wrap algorithm.

(�폜) Some key wrap algorithms make use of a key checksum as defined in CMS [ CMS-Wrap ]. (�폜�����܂�) The algorithm (�폜) that provides an integrity check value (�폜�����܂�) for (�NjL) which (�NjL�����܂�) the (�NjL) encrypted (�NjL�����܂�) key (�폜) being wrapped is: Compute the 20 octet SHA-1 hash (�폜�����܂�) (�NjL) is intended depends (�NjL�����܂�) on the (�폜) key being wrapped. Use the first 8 octets (�폜�����܂�) (�NjL) context (�NjL�����܂�) of (�폜) this hash (�폜�����܂�) (�NjL) the (�NjL�����܂�)(�NjL) ds:KeyInfo (�NjL�����܂�)(�NjL) element: (�NjL�����܂�)(�NjL) ds:KeyInfo (�NjL�����܂�)(�NjL) can occur (�NjL�����܂�) as (�NjL) a child of either an (�NjL�����܂�)(�NjL) EncryptedData (�NjL�����܂�)(�NjL) or (�NjL�����܂�)(�NjL) EncryptedKey (�NjL�����܂�)(�NjL) element; in both cases, (�NjL�����܂�)(�NjL) ds:KeyInfo (�NjL�����܂�)(�NjL) will have an (�NjL�����܂�)(�NjL) EncryptionMethod (�NjL�����܂�)(�NjL) sibling that identifies (�NjL�����܂�) the (�폜) checksum value. (�폜�����܂�) (�NjL) algorithm. (�NjL�����܂�)

(�폜) 5.7 (�폜�����܂�) (�NjL) 5.8 (�NjL�����܂�) Message Digest

Message digest algorithms can be used in AgreementMethod as part of the key derivation, within RSA-OAEP encryption as a hash function, and in connection with the HMAC message authentication code method (�NjL) [ (�NjL�����܂�)(�NjL) HMAC (�NjL�����܂�) (�NjL) ] (�NjL�����܂�) as described in [ (�폜) XML-DSIG (�폜�����܂�) (�NjL) XMLDSIG-CORE1 (�NjL�����܂�) ].) (�NjL) Use of SHA-256 is strongly recommended over SHA-1 because recent advances in cryptanalysis (see e.g. [ (�NjL�����܂�)(�NjL) SHA-1-Analysis (�NjL�����܂�) (�NjL) ], [ (�NjL�����܂�)(�NjL) SHA-1-Collisions (�NjL�����܂�) (�NjL) ] ) have cast doubt on the long-term collision resistance of SHA-1. Therefore, SHA-1 support is (�NjL�����܂�)(�NjL) required (�NjL�����܂�)(�NjL) in this specification only for backwards-compatibility reasons. (�NjL�����܂�)

A9993E36


4706816A


BA3E2571


7850C26C



9CD0D89D

5.9 Canonicalization

A Canonicalization of XML is a method of consistently serializing XML into an octet stream as is necessary prior to encrypting XML.

6.1 (�NjL) Chosen-Ciphertext Attacks (�NjL�����܂�)

(�NjL) A number of chosen-ciphertext attacks against implementations of this specification have been published and demonstrated. They all involve the following elements: (�NjL�����܂�)

1. (�NjL) The attacker knows about the format of the cleartext. (�NjL�����܂�)
2. (�NjL) The attacker is able to submit substantial numbers of ciphertext messages. (�NjL�����܂�)
3. (�NjL) The attacker is able to send arbitrary ciphertext, based on previous results. (�NjL�����܂�)
4. (�NjL) The attacker is able to force the server to use the same key (secret key by CBC-based attacks and server's private key by PKCS#1.5 attacks) for processing of the adapted ciphertext. (�NjL�����܂�)
5. (�NjL) The server attempting to decrypt the ciphertext in some way signals whether the decrypted text is well-formed or not. (�NjL�����܂�)

(�NjL) The attacker uses the knowledge of the format and the information about well-formedness to construct a series of ciphertext guesses which reveal the plaintext with much less work than brute force. Attacks of this type have been demonstrated against symmetric encryption using CBC mode [ (�NjL�����܂�)(�NjL) XMLENC-CBC-ATTACK (�NjL�����܂�) (�NjL) ][ (�NjL�����܂�)(�NjL) XMLENC-CBC-ATTACK-COUNTERMEASURES (�NjL�����܂�) (�NjL) ] and on PKCS#1 v1.5. Other future attacks can be expected whenever these conditions are met. (�NjL�����܂�)

(�NjL) 6.2 (�NjL�����܂�) Relationship to XML Digital Signatures

The application of both encryption and digital signatures over portions of an XML document can make subsequent decryption and signature verification difficult. In particular, when verifying a signature one must know whether the signature was computed over the encrypted or unencrypted form of elements.

A separate, but important, issue is introducing cryptographic vulnerabilities when combining digital signatures and encryption over a common XML element. Hal Finney has suggested that encrypting digitally signed data, while leaving the digital signature in the clear, may allow plaintext guessing attacks. This vulnerability can be mitigated by using secure hashes and the nonces in the text being processed.

In accordance with the requirements document [ (�폜) EncReq (�폜�����܂�) (�NjL) XML-ENCRYPTION-REQ (�NjL�����܂�) ] the interaction of encryption and signing is an application issue and out of scope of the specification. However, we make the following recommendations:

1. When data is encrypted, any digest or signature over that data should be encrypted. This satisfies the first issue in that only those signatures that can be seen can be validated. It also addresses the possibility of a plaintext guessing vulnerability, though it may not be possible to identify (or even know of) all the signatures over a given piece of data.

2. Employ the "decrypt-except" signature transform [ (�폜) XML-DSIG-Decrypt] . (�폜�����܂�) (�NjL) XMLENC-DECRYPT (�NjL�����܂�) (�NjL) ]. (�NjL�����܂�) It works as follows: during signature transform processing, if you encounter a decrypt transform, decrypt all encrypted content in the document except for those excepted by an enumerated set of references.

Additionally, while the following warnings pertain to incorrect inferences by the user about the authenticity of information encrypted, applications should discourage user misapprehension by communicating clearly which information has integrity, or is authenticated, confidential, or non-repudiable when multiple processes (e.g., signature and encryption) and algorithms (e.g., symmetric and asymmetric) are used:

1. When an encrypted envelope contains a signature, the signature does not necessarily protect the authenticity or integrity of the ciphertext [ Davis (�폜) ] . (�폜�����܂�) (�NjL) ]. (�NjL�����܂�)

2. While the signature secures plaintext it only covers that which is signed, recipients of encrypted messages must not infer integrity or authenticity of other unsigned information (e.g., headers) within the encrypted envelope, see [ (�폜) XML-DSIG , (�폜�����܂�) (�NjL) XMLDSIG-CORE1 (�NjL�����܂�) (�NjL) ], (�NjL�����܂�) (�NjL) section (�NjL�����܂�) 8.1.1 Only What is Signed is Secure ].

(�폜) 6.2 (�폜�����܂�) (�NjL) 6.3 (�NjL�����܂�) Information Revealed

Where a symmetric key is shared amongst multiple recipients, that symmetric key should only be used for the data intended for all recipients; even if one recipient is not directed to information intended (exclusively) for another in the same symmetric key, the information might be discovered and decrypted.

Additionally, application designers should be careful not to reveal any information in parameters or algorithm identifiers (e.g., information in a URI) that weakens the encryption.

(�폜) 6.3 (�폜�����܂�) (�NjL) 6.4 (�NjL�����܂�) Nonce and IV (Initialization Value or Vector)

An undesirable characteristic of many encryption algorithms and/or their modes is that the same plaintext when encrypted with the same key has the same resulting ciphertext. While this is unsurprising, it invites various attacks which are mitigated by including an arbitrary and non-repeating (under a given key) data with the plaintext prior to encryption. In encryption chaining modes this data is the first to be encrypted and is consequently called the IV (�폜) (initalization (�폜�����܂�) (�NjL) (initialization (�NjL�����܂�) value or vector).

Different algorithms and modes have further requirements on the characteristic of this information (e.g., randomness and secrecy) that affect the features (e.g., confidentiality and integrity) and their (�폜) resistence (�폜�����܂�) (�NjL) resistance (�NjL�����܂�) to attack.

Given that XML data is redundant (e.g., Unicode encodings and repeated tags ) and that attackers may know the data's structure (e.g., DTDs and schemas) encryption algorithms must be carefully implemented and used in this regard.

For the Cipher Block Chaining (CBC) mode used by this specification, the IV must not be reused for any key and should be random, but it need not be secret. Additionally, under this mode an adversary modifying the IV can make a known change in the plain text after decryption. This attack can be avoided by securing the integrity of the plain text data, for example by signing it.

(�NjL) Note: CBC block encryption algorithms should not be used without consideration of possibly severe security risks. (�NjL�����܂�)

(�NjL) For the Galois/Counter Mode (GCM) used by this specification, the IV must not be reused for any key and should be random, but it need not be secret. (�NjL�����܂�)

(�폜) 6.4 (�폜�����܂�) (�NjL) 6.5 (�NjL�����܂�) Denial of Service

This specification permits recursive processing. For example, the following scenario is possible: EncryptedKey A requires EncryptedKey B to be decrypted, which itself requires EncryptedKey A ! Or, an attacker might submit an EncryptedData for decryption that references network resources that are very large or continually redirected. Consequently, implementations should be able to restrict arbitrary recursion and the total amount of processing and networking resources a request can consume.

(�NjL) 6.6 (�NjL�����܂�) Unsafe Content

XML Encryption can be used to obscure, via encryption, content that applications (e.g., firewalls, virus detectors, etc.) consider unsafe (e.g., executable code, viruses, etc.). Consequently, such applications must consider encrypted content to be as unsafe as the unsafest content transported in its application context. Consequently, such applications may choose to (1) disallow such content, (2) require access to the decrypted form for inspection, or (3) ensure that arbitrary content can be safely processed by receiving applications.

(�NjL) 6.7 (�NjL�����܂�)(�NjL) Error Messages (�NjL�����܂�)

(�NjL) Implementations (�NjL�����܂�)(�NjL) should not (�NjL�����܂�)(�NjL) provide detailed error responses related to security algorithm processing. Error messages should be limited to a generic error message to avoid providing information to a potential attacker related to the specifics of the algorithm implementation. For example, if an error occurs in decryption processing the error response should be a generic message providing no specifics on the details of the processing error. (�NjL�����܂�)

(�NjL) 6.8 (�NjL�����܂�)(�NjL) Timing Attacks (�NjL�����܂�)

(�NjL) It has been known for some time that it is feasible for an attacker to recover keys or cleartext by repeatedly sending chosen ciphertext and measuring the time required to process different requests with different types of errors. It has been demonstrated that attacks of this type are practical even when communicating over large and busy networks, especially if the receiver is willing to process large numbers of ciphertext blocks. (�NjL�����܂�)

(�NjL) Implementers (�NjL�����܂�)(�NjL) should (�NjL�����܂�)(�NjL) ensure that distinct errors detected during security algorithm processing do not consume systematically different amounts of processing time from each other. Implementers (�NjL�����܂�)(�NjL) should (�NjL�����܂�)(�NjL) consult the technical literature for more details on specific attacks and recommended countermeasures. (�NjL�����܂�)

(�NjL) Deployments (�NjL�����܂�)(�NjL) should (�NjL�����܂�)(�NjL) treat as suspect inputs when a large number of security algorithm processing errors are detected within a short period of time, especially in messages from the same origin. (�NjL�����܂�)

(�NjL) 6.9 (�NjL�����܂�)(�NjL) CBC Block Encryption Vulnerability (�NjL�����܂�)

(�NjL) Note (�NjL�����܂�):(�NjL) CBC block encryption algorithms should not be used without consideration of (�NjL�����܂�)(�NjL) possibly severe security risks (�NjL�����܂�).

8.1 Introduction

XML Encryption Syntax and Processing (�폜) [ XML-Encryption ] (�폜�����܂�) (�NjL) (XMLENC-CORE1, this document) (�NjL�����܂�) specifies a process for encrypting data and representing the result in XML. The data may be arbitrary data (including an XML document), an XML element, or XML element content. The result of encrypting data is an XML Encryption element which contains or references the cipher data.

The application/xenc+xml media type allows XML Encryption applications to identify encrypted documents. Additionally it allows applications cognizant of this media-type (even if they are not XML Encryption implementations) to note that the media type of the decrypted (original) object might be a type other than XML.

8.2 application/xenc+xml Registration

This is a media type registration as defined in Multipurpose Internet Mail Extensions (MIME) Part Four: Registration Procedures [ MIME-REG ]

(�폜) MIME media type (�폜�����܂�) (�NjL) Type (�NjL�����܂�) name: application

(�폜) MIME subtype (�폜�����܂�) (�NjL) Subtype (�NjL�����܂�) name: xenc+xml

Required parameters: none

Optional parameters: charset

The allowable and recommended values for, and interpretation of the charset parameter are identical to those given for 'application/xml' in section 3.2 of RFC 3023 [ XML-MT ].

Encoding considerations:

The encoding considerations are identical to those given for 'application/xml' in section 3.2 of RFC 3023 [ XML-MT ].

Security considerations:

See the (�폜) [ XML-Encryption ] (�폜�����܂�) (�NjL) (XMLENC-CORE1, this document) (�NjL�����܂�) Security Considerations section.

Interoperability considerations: none

Published specification: (�폜) [ XML-Encryption ] (�폜�����܂�) (�NjL) (XMLENC-CORE1, this document) (�NjL�����܂�)

Applications which use this media type:

XML Encryption is device-, platform-, and vendor-neutral and is supported by a range of Web applications.

Additional Information:

Magic number(s): none

Although no byte sequences can be counted on to consistently identify XML Encryption documents, (�폜) they (�폜�����܂�) (�NjL) there (�NjL�����܂�) will be XML documents in which the root element's QName 's LocalPart is 'EncryptedData' or ' EncryptedKey ' with an associated namespace name of ' http://www.w3.org/2001/04/xmlenc# '. The application/xenc+xml type name (�폜) MUST (�폜�����܂�) (�NjL) must (�NjL�����܂�) only be used for data objects in which the root element is from the XML Encryption namespace. XML documents which contain these element types in places other than the root element can be described using facilities such as [ (�폜) XML-schema (�폜�����܂�) (�NjL) XMLSCHEMA-1 (�NjL�����܂�) (�NjL) ], [ (�NjL�����܂�)(�NjL) XMLSCHEMA-2 (�NjL�����܂�) ].

File extension(s): .xml

Macintosh File Type Code(s): "TEXT"

Person & email address to contact for further information:

(�폜) Joseph Reagle <reagle@w3.org> XENC Working Group <xml-encryption@w3.org> (�폜�����܂�) (�NjL) World Wide Web Consortium <web-human at w3.org> (�NjL�����܂�)

Intended usage: COMMON

Author/Change controller:

The XML Encryption specification is a work product of the World Wide Web Consortium (�폜) (W3C) (�폜�����܂�) (�NjL) ( (�NjL�����܂�)(�NjL) W3C (�NjL�����܂�)(�NjL) ) (�NjL�����܂�) which has change control over the specification.

(�NjL) 9.1 (�NjL�����܂�)(�NjL) XSD Schema (�NjL�����܂�)

(�NjL) XML Encryption Core (�NjL�����܂�) Schema (�NjL) Instance (�NjL�����܂�)

xenc-schema.xsd

(�NjL) XML Encryption 1.1 Schema Instance (�NjL�����܂�)

(�NjL) xenc-schema11.xsd (�NjL�����܂�)

(�NjL) This schema document defines the additional material defined in XML Encryption 1.1. (�NjL�����܂�)

Example (�NjL) (non-normative) (�NjL�����܂�)

enc-example.xml (not cryptographically valid but (�폜) excercises (�폜�����܂�) (�NjL) exercises (�NjL�����܂�) much of the schema)

(�NjL) 9.2 (�NjL�����܂�)(�NjL) RNG Schema (�NjL�����܂�)

(�NjL) This section is non-normative. (�NjL�����܂�)

(�NjL) Non-normative RELAX NG schema [ (�NjL�����܂�)(�NjL) RELAXNG-SCHEMA (�NjL�����܂�) (�NjL) ] information is available in a separate document [ (�NjL�����܂�)(�NjL) XMLSEC-RELAXNG (�NjL�����܂�) (�NjL) ]. (�NjL�����܂�)

(�NjL) A.1 (�NjL�����܂�)(�NjL) AES KeyWrap with Padding (�NjL�����܂�)

(�NjL) This section is non-normative. (�NjL�����܂�)

(�NjL) Identifiers: (�NjL�����܂�)

(�폜) TRIPLEDES (�폜�����܂�) (�NjL) http://www.w3.org/2009/xmlenc11#kw-aes-128-pad (�NjL�����܂�)

(�폜) ANSI X9.52: Triple Data Encryption Algorithm Modes of Operation. 1998. (�폜�����܂�) (�NjL) http://www.w3.org/2009/xmlenc11#kw-aes-192-pad (�NjL�����܂�)

(�NjL) http://www.w3.org/2009/xmlenc11#kw-aes-256-pad (�NjL�����܂�)

(�NjL) These identifiers are reserved for symmetric key wrapping using the (�NjL�����܂�) AES (�NjL) key wrap with padding algorithm with a 128, 192, and 256 bit AES key encrypting key, respectively. Implementation of AES key wrap with padding is defined in [ (�NjL�����܂�)(�NjL) AES-WRAP-PAD (�NjL�����܂�) (�NjL) ]. The algorithm is defined for inputs between 9 and 2^32 octets. Unlike the unpadded AES Key Wrap algorithm, the input length is not constrained to multiples of 64 bits (8 octets). (�NjL�����܂�)

(�NjL) Note that the wrapped key will be distinct from the one generated by the unpadded AES Key Wrap algorithm, even if the input length is a multiple of 64 bits. (�NjL�����܂�)

(�NjL) B.1 (�NjL�����܂�)(�NjL) Normative references (�NjL�����܂�)

(�NjL) [AES] (�NjL�����܂�)

NIST FIPS 197: Advanced Encryption Standard (AES) . November 2001. (�NjL) URL: (�NjL�����܂�) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

(�폜) AES-WRAP (�폜�����܂�)

(�NjL) [AES-WRAP] (�NjL�����܂�)

(�NjL) J. Schaad and R. Housley. (�NjL�����܂�) RFC3394: Advanced Encryption Standard (AES) Key Wrap Algorithm . (�폜) J. Schaad and R. Housley. Informational, (�폜�����܂�) (�NjL) IETF Informational RFC, (�NjL�����܂�) September 2002. (�폜) CMS-Algorithms (�폜�����܂�) (�NjL) URL: (�NjL�����܂�)(�NjL) http://www.rfc-editor.org/rfc/rfc3394.txt (�NjL�����܂�)

(�NjL) [AES-WRAP-PAD] (�NjL�����܂�)

(�NjL) R. Housley, M. Dworkin. (�NjL�����܂�)(�NjL) RFC 5649: Advanced Encryption Standard (AES) Key Wrap with Padding Algorithm (�NjL�����܂�) (�폜) RFC3370: Cryptographic Message Syntax (CMS) Algorithms (�폜�����܂�) . (�폜) R. Housley. Informational, February 2002. (�폜�����܂�) (�NjL) IETF Informational RFC, August 2009. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc5649.txt (�NjL�����܂�).

(�NjL) [ANSI-X9-44-2007] (�NjL�����܂�)

(�폜) http://www.ietf.org/rfc/rfc3370.txt (�폜�����܂�) (�NjL) ANSI X9.44-2007: Key Establishment Using Integer Factorization Cryptography. (�NjL�����܂�) (�폜) CMS-Wrap (�폜�����܂�) (�NjL) URL: (�NjL�����܂�)(�NjL) http://webstore.ansi.org/RecordDetail.aspx?sku=ANSI+X9.44-2007 (�NjL�����܂�)

(�NjL) [CMS-WRAP] (�NjL�����܂�)

(�NjL) R. Housley. (�NjL�����܂�) RFC3217: Triple-DES and (�폜) RC2 (�폜�����܂�) (�NjL) R2 (�NjL�����܂�) Key Wrapping . (�폜) R. Housley. Informational, (�폜�����܂�) (�NjL) IETF Informational RFC, (�NjL�����܂�) December 2001. (�NjL) URL: (�NjL�����܂�) http://www.ietf.org/rfc/rfc3217.txt

(�폜) Davis (�폜�����܂�)

(�NjL) [DES] (�NjL�����܂�)

(�폜) Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML. D. Davis. USENIX Annual Technical Conference. 2001. http://www.usenix.org/publications/library/proceedings/usenix01/davis.html DES (�폜�����܂�)

NIST FIPS 46-3: Data Encryption Standard (�NjL) (DES) (�NjL�����܂�) (�폜) (DES). (�폜�����܂�) (�NjL) . (�NjL�����܂�) October 1999. (�NjL) URL: (�NjL�����܂�) http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf

(�폜) EncReq (�폜�����܂�)

(�NjL) [ESDH] (�NjL�����܂�)

(�폜) XML Encryption Requirements . J. Reagle. W3C Note, March 2002. http://www.w3.org/TR/2002/NOTE-xml-encryption-req-20020304 ESDH (�폜�����܂�)

(�NjL) E. Rescorla. (�NjL�����܂�) (�폜) RFC 2631: (�폜�����܂�) Diffie-Hellman Key Agreement Method. (�폜) E. Rescorla. (�폜�����܂�) . (�NjL) IETF RFC 2631 (�NjL�����܂�) Standards Track, 1999. (�NjL) URL: (�NjL�����܂�) http://www.ietf.org/rfc/rfc2631.txt

(�폜) http://www.w3.org/TR/2002/CR-xml-exc-c14n-20020212 (�폜�����܂�)

(�NjL) [EXI] (�NjL�����܂�)

(�NjL) Takuki Kamiya; John Schneider. (�NjL�����܂�)(�NjL) Efficient XML Interchange (EXI) Format 1.0. (�NjL�����܂�) (�폜) Glossary (�폜�����܂�) (�NjL) 8 December 2009. W3C Candidate Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2009/CR-exi-20091208/ (�NjL�����܂�)

(�NjL) [FIPS-180-3] (�NjL�����܂�)

(�폜) RFC 2828: Internet Security Glossary (�폜�����܂�) (�NjL) FIPS PUB 180-3 Secure Hash Standard (�NjL�����܂�) . (�폜) R Shirey. Informational, May 2000. (�폜�����܂�) (�NjL) U.S. Department of Commerce/National Institute of Standards and Technology. URL: (�NjL�����܂�)(�NjL) http://csrc.nist.gov/publications/fips/fips180-3/fips180-3_final.pdf (�NjL�����܂�)

(�NjL) [FIPS-186-3] (�NjL�����܂�)

(�폜) http://www.ietf.org/rfc/rfc2828.txt (�폜�����܂�) (�NjL) FIPS PUB 186-3: Digital Signature Standard (DSS) (�NjL�����܂�) (�폜) HMAC (�폜�����܂�) . (�NjL) June 2009. U.S. Department of Commerce/National Institute of Standards and Technology. URL: (�NjL�����܂�)(�NjL) http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf (�NjL�����܂�)

(�NjL) [HMAC] (�NjL�����܂�)

(�NjL) H. Krawczyk, M. Bellare, R. Canetti. (�NjL�����܂�) (�폜) RFC 2104: (�폜�����܂�) HMAC: Keyed-Hashing for Message Authentication . (�폜) H. Krawczyk, M. Bellare, and R. Canetti. Informational, (�폜�����܂�) February 1997. (�NjL) IETF RFC 2104. URL: (�NjL�����܂�) http://www.ietf.org/rfc/rfc2104.txt

(�폜) HTTP (�폜�����܂�)

(�NjL) [NFC] (�NjL�����܂�)

(�NjL) M. Davis, Ken Whistler. (�NjL�����܂�) (�폜) RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1. (�폜�����܂�) (�NjL) TR15, Unicode Normalization Forms. (�NjL�����܂�).(�NjL) 17 September 2010, URL: (�NjL�����܂�)(�NjL) http://www.unicode.org/reports/tr15/ (�NjL�����܂�)

(�NjL) [PKCS1] (�NjL�����܂�)

J. (�폜) Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach, (�폜�����܂�) (�NjL) Jonsson (�NjL�����܂�) and (�폜) T. Berners-Lee. (�폜�����܂�) (�NjL) B. Kaliski. (�NjL�����܂�)(�NjL) Public-Key Cryptography (�NjL�����܂�) Standards (�폜) Track, June 1999. (�폜�����܂�) (�NjL) (PKCS) #1: RSA Cryptography Specifications Version 2.1. (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc2616.txt (�폜�����܂�) (�폜) KEYWORDS (�폜�����܂�) (�NjL) RFC 3447 (Informational), February 2003. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc3447.txt (�NjL�����܂�)

(�NjL) [PKCS5] (�NjL�����܂�)

(�NjL) B. Kaliski. (�NjL�����܂�) (�NjL) PKCS #5 v2.0: Password-Based Cryptography Standard (�NjL�����܂�) (�NjL) IETF (�NjL�����܂�) RFC (�폜) 2119: Key words for use in RFCs to Indicate Requirement Levels. (�폜�����܂�) (�NjL) 2898. September 2000. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc2898.txt (�NjL�����܂�) (�폜) S. Bradner. Best Current Practice, March 1997. (�폜�����܂�)

(�NjL) [PKCS5Amd1] (�NjL�����܂�)

(�폜) http://www.ietf.org/rfc/rfc2119.txt (�폜�����܂�) (�NjL) PKCS #5 v2.0 Amendment 1: XML Schema for Password-Based Cryptography (�NjL�����܂�) (�폜) MD5 (�폜�����܂�) (�NjL) RSA Laboratories, March 2007. URL: (�NjL�����܂�)(�NjL) ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-5v2/pkcs-5v2-0a1.pdf (�NjL�����܂�)

(�NjL) [RANDOM] (�NjL�����܂�)

(�폜) RFC 1321: The MD5 Message-Digest Algorithm. R. Rivest. Informational, April 1992. (�폜�����܂�)

(�NjL) D. Eastlake, S. Crocker, J. Schiller. (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc1321.txt (�폜�����܂�) (�NjL) Randomness Recommendations for Security. (�NjL�����܂�) (�폜) MIME (�폜�����܂�) . (�NjL) IETF RFC 4086. June 2005. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc4086.txt (�NjL�����܂�)

(�NjL) [RFC2045] (�NjL�����܂�)

(�NjL) N. Freed and N. Borenstein. (�NjL�����܂�) (�폜) RFC 2045: (�폜�����܂�) Multipurpose Internet Mail Extensions (MIME) Part One: Format of Internet Message (�폜) Bodies . N. Freed and N. Borenstein. Standards Track, (�폜�����܂�) (�NjL) Bodies. (�NjL�����܂�) November 1996. (�NjL) URL: (�NjL�����܂�) http://www.ietf.org/rfc/rfc2045.txt

(�폜) MIME-REG (�폜�����܂�)

(�NjL) [RFC2119] (�NjL�����܂�)

(�NjL) S. Bradner. (�NjL�����܂�)(�NjL) Key words for use in RFCs to Indicate Requirement Levels. (�NjL�����܂�) (�NjL) March 1997. Internet RFC 2119. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc2119.txt (�NjL�����܂�)

(�NjL) [RFC4055] (�NjL�����܂�)

(�NjL) J. Schaad, B. Kaliski, R. Housley. (�NjL�����܂�) (�폜) RFC 2048: Multipurpose (�폜�����܂�) (�NjL) Additional Algorithms and Identifiers for RSA Cryptography for use in the (�NjL�����܂�) Internet (�폜) Mail Extensions (MIME) Part Four: Registration Procedures . N. Freed, J. Klensin, (�폜�����܂�) (�NjL) X.509 Public Key Infrastructure Certificate (�NjL�����܂�) and (�폜) J. Postel. Best Current Practice, November 1996. (�폜�����܂�) (�NjL) Certificate Revocation List (CRL) Profile (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc2048.txt (�폜�����܂�) . (�NjL) June 2005. IETF RFC 4055. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc4055.txt (�NjL�����܂�)

(�폜) NFC (�폜�����܂�)

(�NjL) [RIPEMD-160] (�NjL�����܂�)

(�폜) TR15, Unicode Normalization Forms . M. Davis (�폜�����܂�) (�NjL) B. Preneel, A. Bosselaers, (�NjL�����܂�) and (�폜) M. D?rst. Revision 18: November 1999. (�폜�����܂�) (�NjL) H. Dobbertin. (�NjL�����܂�) (�폜) http://www.unicode.org/unicode/reports/tr15/tr15-18.html . (�폜�����܂�) (�NjL) The Cryptographic Hash Function RIPEMD-160 (�NjL�����܂�) (�폜) NFC-Corrigendum (�폜�����܂�) . (�NjL) CryptoBytes, Volume 3, Number 2. pp. 9-14, RSA Laboratories 1997. URL: (�NjL�����܂�)(�NjL) http://www.cosic.esat.kuleuven.be/publications/article-317.pdf (�NjL�����܂�)

(�NjL) [SP800-38D] (�NjL�����܂�)

(�NjL) M. Dworkin. (�NjL�����܂�)(�NjL) NIST Special Publication 800-38D: Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC (�NjL�����܂�) (�폜) Corrigendum #2: Yod with Hiriq Normalization (�폜�����܂�) . (�NjL) November 2007 URL: (�NjL�����܂�)(�NjL) http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf (�NjL�����܂�)

(�NjL) [SP800-56A] (�NjL�����܂�)

(�폜) http://www.unicode.org/versions/corrigendum2.html . (�폜�����܂�) (�폜) prop1 (�폜�����܂�) (�NjL) NIST Special Publication 800-56A: Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised) (�NjL�����܂�).(�NjL) March 2007 URL: (�NjL�����܂�)(�NjL) http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf (�NjL�����܂�)

(�NjL) [SP800-67] (�NjL�����܂�)

(�폜) XML (�폜�����܂�) (�NjL) Recommendation for the Triple Data (�NjL�����܂�) Encryption (�폜) strawman proposal . E. Simon (�폜�����܂�) (�NjL) Algorithm (TDEA) Block Cipher, Revised January 2012. (�NjL�����܂�) (�NjL) SP-800-67 Revision 1. U.S. Department of Commerce/National Institute of Standards (�NjL�����܂�) and (�폜) B. LaMacchia. Aug 2000. (�폜�����܂�) (�NjL) Technology. URL: (�NjL�����܂�)(�NjL) http://csrc.nist.gov/publications/nistpubs/800-67-Rev1/SP-800-67-Rev1.pdf (�NjL�����܂�)

(�폜) http://lists.w3.org/Archives/Public/xml-encryption/2000Aug/0001.html (�폜�����܂�)

(�NjL) [URI] (�NjL�����܂�)

(�NjL) T. Berners-Lee; R. Fielding; L. Masinter. (�NjL�����܂�) (�폜) prop2 (�폜�����܂�) (�NjL) Uniform Resource Identifiers (URI): generic syntax. (�NjL�����܂�) (�NjL) January 2005. Internet RFC 3986. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc3986.txt (�NjL�����܂�)

(�NjL) [XML-ENCRYPTION-REQ] (�NjL�����܂�)

(�NjL) Joseph Reagle. (�NjL�����܂�) (�폜) Another proposal of (�폜�����܂�) XML Encryption (�폜) . T. Imamura. Aug 2000. (�폜�����܂�) (�NjL) Requirements. (�NjL�����܂�) (�폜) http://lists.w3.org/Archives/Public/xml-encryption/2000Aug/0005.html (�폜�����܂�) (�폜) prop3 (�폜�����܂�) (�NjL) 4 March 2002. W3C Note. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2002/NOTE-xml-encryption-req-20020304 (�NjL�����܂�)

(�NjL) [XML-NAMES] (�NjL�����܂�)

(�NjL) Richard Tobin et al. (�NjL�����܂�) (�NjL) Namespaces in (�NjL�����܂�) XML (�폜) Encryption Syntax and Processing . B. Dillaway, B. Fox, T. Imamura, B. LaMacchia, H. Maruyama, J. Schaad, and E. Simon. December 2000. (�폜�����܂�) (�NjL) 1.0 (Third Edition). (�NjL�����܂�) (�폜) http://lists.w3.org/Archives/Public/xml-encryption/2000Dec/att-0024/01-XMLEncryption_v01.html (�폜�����܂�) (�폜) PKCS1 (�폜�����܂�) (�NjL) 8 December 2009. W3C Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2009/REC-xml-names-20091208/ (�NjL�����܂�)

(�NjL) [XML10] (�NjL�����܂�)

(�폜) RFC 2437: PKCS #1: RSA Cryptography Specifications Version 2.0. B. Kaliski and J. Staddon. Informational, October 1998. (�폜�����܂�)

(�NjL) C. M. Sperberg-McQueen et al. (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc2437.txt (�폜�����܂�) (�NjL) Extensible Markup Language (XML) 1.0 (Fifth Edition). (�NjL�����܂�) (�폜) RANDOM (�폜�����܂�) (�NjL) 26 November 2008. W3C Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2008/REC-xml-20081126/ (�NjL�����܂�)

(�NjL) [XMLDSIG-CORE1] (�NjL�����܂�)

(�폜) RFC 1750: Randomness Recommendations for Security . (�폜�����܂�)

D. Eastlake, (�폜) S. Crocker, and (�폜�����܂�) J. (�폜) Schiller. Informational, December 1994. http://www.ietf.org/rfc/rfc1750.txt (�폜�����܂�) (�NjL) Reagle, D. Solo, F. Hirsch, T. Roessler, K. Yiu. (�NjL�����܂�) (�NjL) XML Signature Syntax and Processing Version 1.1. (�NjL�����܂�) (�폜) RIPEMD-160 (�폜�����܂�) (�폜) CryptoBytes, Volume 3, Number 2. The Cryptographic Hash Function RIPEMD-160 . RSA Laboratories. Autumn 1997. ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto3n2.pdf (�폜�����܂�) (�NjL) 24 January 2013. W3C Proposed Recommendation. (Work in progress) URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2013/PR-xmldsig-core1-20130124/ (�NjL�����܂�)

(�폜) http://www.esat.kuleuven.ac.be/~cosicart/pdf/AB-9601/AB-9601.pdf (�폜�����܂�)

(�NjL) [XMLSCHEMA-1] (�NjL�����܂�)

(�NjL) Henry S. Thompson et al. (�NjL�����܂�) (�폜) SHA (�폜�����܂�) (�NjL) XML Schema Part 1: Structures Second Edition. (�NjL�����܂�) (�폜) Secure Hash Standard . (�폜�����܂�) (�폜) NIST FIPS 180-1. ( RFC 3174 (�폜�����܂�) (�NjL) 28 October 2004. W3C Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2004/REC-xmlschema-1-20041028/ (�NjL�����܂�) (�폜) ). April 1995. (�폜�����܂�)

(�폜) http://www.itl.nist.gov/fipspubs/fip180-1.htm (�폜�����܂�)

(�NjL) [XMLSCHEMA-2] (�NjL�����܂�)

(�폜) Secure Hash Standard. NIST Draft FIPS 180-2 . 2001. (Extended to include SHA-384, SHA-256, and SHA-512) (�폜�����܂�)

(�NjL) Paul V. Biron; Ashok Malhotra. (�NjL�����܂�) (�폜) http://csrc.nist.gov/encryption/shs/dfips-180-2.pdf (�폜�����܂�) (�NjL) XML Schema Part 2: Datatypes Second Edition. (�NjL�����܂�) (�폜) Tobin (�폜�����܂�) (�NjL) 28 October 2004. W3C Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2004/REC-xmlschema-2-20041028/ (�NjL�����܂�)

(�NjL) [XPATH] (�NjL�����܂�)

(�폜) R. Tobin. Infoset for external entities , (�폜�����܂�) (�NjL) James Clark; Steven DeRose. (�NjL�����܂�) XML (�폜) Core mailing list, 2000 [ (�폜�����܂�) (�NjL) Path Language (XPath) Version 1.0. (�NjL�����܂�) (�NjL) 16 November 1999. (�NjL�����܂�) W3C (�폜) Member Only (�폜�����܂�) (�NjL) Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/1999/REC-xpath-19991116/ (�NjL�����܂�) (�폜) ]. (�폜�����܂�)

(�폜) http://lists.w3.org/Archives/Member/w3c-xml-core-wg/2000OctDec/0054 (�폜�����܂�)

(�NjL) B.2 (�NjL�����܂�)(�NjL) Informative references (�NjL�����܂�)

(�NjL) [Davis] (�NjL�����܂�)

(�폜) RFC 2781: UTF-16, an encoding of ISO 10646. P. Hoffman and F. Yergeau. Informational, February 2000. (�폜�����܂�)

(�폜) http://www.ietf.org/rfc/rfc2781.txt (�폜�����܂�) (�NjL) Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML. (�NjL�����܂�) (�폜) UTF-8 (�폜�����܂�) (�NjL) D. Davis. USENIX Annual Technical Conference. 2001. URL: (�NjL�����܂�)(�NjL) http://www.usenix.org/publications/library/proceedings/usenix01/davis.html (�NjL�����܂�)

(�NjL) [ECC-ALGS] (�NjL�����܂�)

(�NjL) D. McGrew; K. Igoe; M. Salter. (�NjL�����܂�) RFC (�폜) 2279: UTF-8, a transformation format of ISO 10646F. F. Yergeau. Standards Track, January 1998. (�폜�����܂�) (�NjL) 6090: Fundamental Elliptic Curve Cryptography Algorithms. (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc2279.txt (�폜�����܂�) (�폜) URI (�폜�����܂�) (�NjL) February 2011. IETF Informational RFC. URL: (�NjL�����܂�)(�NjL) http://www.rfc-editor.org/rfc/rfc6090.txt (�NjL�����܂�)

(�NjL) [MIME-REG] (�NjL�����܂�)

(�NjL) N. Freed, J. Klensin. (�NjL�����܂�) RFC (�폜) 2396: Uniform Resource Identifiers (URI): Generic Syntax (�폜�����܂�) (�NjL) 4289: Multipurpose Internet Mail Extensions (MIME) Part Four: Registration Procedures (�NjL�����܂�) . (�폜) T. Berners-Lee, R. Fielding, and L. Masinter. Standards Track, August 1998. (�폜�����܂�) (�NjL) December 2005. Best Current Practice. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc4289.txt (�NjL�����܂�)

(�폜) http://www.ietf.org/rfc/rfc2396.txt (�폜�����܂�)

(�NjL) [OAEP-ATTACK] (�NjL�����܂�)

(�NjL) Manger, James. (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc1738.txt (�폜�����܂�) (�NjL) A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 (�NjL�����܂�) . (�NjL) URL: (�NjL�����܂�)(�NjL) http://archiv.infsec.ethz.ch/education/fs08/secsem/Manger01.pdf (�NjL�����܂�)

(�폜) http://www.ietf.org/rfc/rfc2141.txt (�폜�����܂�)

(�NjL) [RELAXNG-SCHEMA] (�NjL�����܂�)

(�폜) RFC 2611: URN Namespace (�폜�����܂�) (�NjL) Information technology -- Document Schema (�NjL�����܂�) Definition (�폜) Mechanisms. Best Current Practices. Daigle, D. van Gulik, R. Iannella, P. Falstrom. June 1999. (�폜�����܂�) (�NjL) Language (DSDL) -- Part 2: Regular-grammar-based validation -- RELAX NG (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc2611.txt (�폜�����܂�) . (�NjL) ISO/IEC 19757-2:2008. URL: (�NjL�����܂�)(�NjL) http://standards.iso.org/ittf/PubliclyAvailableStandards/c052348_ISO_IEC_19757-2_2008(E).zip (�NjL�����܂�)

(�폜) X509v3 (�폜�����܂�)

(�NjL) [RFC3218] (�NjL�����܂�)

(�폜) ITU-T Recommendation X.509 version 3 (1997). "Information Technology - Open Systems Interconnection - The Directory Authentication Framework" ISO/IEC 9594-8:1997. (�폜�����܂�) (�NjL) Rescorla; E. (�NjL�����܂�) (�폜) XML (�폜�����܂�) (�NjL) Preventing the Million Message Attack on Cryptographic Message Syntax. (�NjL�����܂�) (�NjL) January 2002. Informational RFC 3218. URL: (�NjL�����܂�)(�NjL) http://tools.ietf.org/html/rfc3218 (�NjL�����܂�)

(�NjL) [SHA-1-Analysis] (�NjL�����܂�)

(�폜) Extensible Markup Language (XML) 1.0 (Second Edition) . T. Bray, J. Paoli, C. M. Sperberg-McQueen, (�폜�����܂�)

(�NjL) McDonald, C., Hawkes, P., (�NjL�����܂�) and (�폜) E. Maler. W3C Recommendation, October 2000. (�폜�����܂�) (�NjL) J. Pieprzyk. (�NjL�����܂�) (�폜) XML-Base (�폜�����܂�) (�NjL) SHA-1 collisions now 2 (�NjL�����܂�)^{(�NjL) 52 (�NjL�����܂�)}.(�NjL) EuroCrypt 2009 Rump session. URL: (�NjL�����܂�)(�NjL) http://eurocrypt2009rump.cr.yp.to/837a0a8086fa6ca714249409ddfae43d.pdf (�NjL�����܂�)

(�NjL) [SHA-1-Collisions] (�NjL�����܂�)

(�NjL) X. Wang, Y.L. Yin, H. Yu. (�NjL�����܂�)(�NjL) Finding Collisions in the Full SHA-1 (�NjL�����܂�) (�폜) XML Base (�폜�����܂�) . (�폜) J. Marsh. W3C Recommendation, June 2001. (�폜�����܂�) (�NjL) In Shoup, V., editor, Advances in Cryptology - CRYPTO 2005, 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings, volume 3621 of LNCS, pages 17�?36. Springer, 2005. URL: (�NjL�����܂�)(�NjL) http://people.csail.mit.edu/yiqun/SHA1AttackProceedingVersion.pdf (�NjL�����܂�) (�NjL) (also published in (�NjL�����܂�)(�NjL) http://www.springerlink.com/content/26vljj3xhc28ux5m/ (�NjL�����܂�) (�NjL) ) (�NjL�����܂�)

(�폜) http://www.w3.org/TR/2001/REC-xmlbase-20010627/ (�폜�����܂�)

(�NjL) [Tobin] (�NjL�����܂�)

(�NjL) R. Tobin. (�NjL�����܂�) (�폜) XML-C14N (�폜�����܂�) (�NjL) Infoset for external entities. (�NjL�����܂�) (�NjL) 2000. URL: (�NjL�����܂�)(�NjL) http://lists.w3.org/Archives/Member/w3c-xml-core-wg/2000OctDec/0054 (�NjL�����܂�) (�NjL) [XML Core mailing list, (�NjL�����܂�)(�NjL) W3C Member Only (�NjL�����܂�) (�NjL) ]. (�NjL�����܂�)

(�NjL) [XML-C14N] (�NjL�����܂�)

(�NjL) John Boyer. (�NjL�����܂�) Canonical (�폜) XML. (�폜�����܂�) (�NjL) XML Version 1.0. (�NjL�����܂�) (�폜) J. Boyer. W3C Recommendation, (�폜�����܂�) (�NjL) 15 (�NjL�����܂�) March 2001. (�NjL) W3C Recommendation. URL: (�NjL�����܂�) http://www.w3.org/TR/2001/REC-xml-c14n-20010315

(�폜) http://www.ietf.org/rfc/rfc3076.txt (�폜�����܂�)

(�NjL) [XML-C14N11] (�NjL�����܂�)

(�NjL) John Boyer; Glenn Marcy. (�NjL�����܂�) (�폜) XML-exc-C14N (�폜�����܂�) (�NjL) Canonical XML Version 1.1. (�NjL�����܂�) (�NjL) 2 May 2008. W3C Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2008/REC-xml-c14n11-20080502/ (�NjL�����܂�)

(�NjL) [XML-EXC-C14N] (�NjL�����܂�)

(�NjL) Donald E. Eastlake 3rd; Joseph Reagle; John Boyer. (�NjL�����܂�) Exclusive XML Canonicalization (�폜) . J. Boyer, D. Eastlake, and J. Reagle. W3C Recommendation, (�폜�����܂�) (�NjL) Version 1.0. (�NjL�����܂�) (�NjL) 18 (�NjL�����܂�) July 2002. (�NjL) W3C Recommendation. URL: (�NjL�����܂�) http://www.w3.org/TR/2002/REC-xml-exc-c14n-20020718/

(�폜) XML-DSIG (�폜�����܂�)

(�NjL) [XML-INFOSET] (�NjL�����܂�)

(�폜) XML-Signature Syntax and Processing . D. Eastlake, J. Reagle, and D. Solo. W3C Recommendation, February 2002. (�폜�����܂�)

(�NjL) John Cowan; Richard Tobin. (�NjL�����܂�) (�폜) http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/ (�폜�����܂�) (�NjL) XML Information Set (Second Edition). (�NjL�����܂�) (�폜) XML-DSIG-Decrypt (�폜�����܂�) (�NjL) 4 February 2004. W3C Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2004/REC-xml-infoset-20040204/ (�NjL�����܂�)

(�NjL) [XML-MT] (�NjL�����܂�)

(�폜) Decryption Transform for XML Signature . M. Hughes, T. Imamura and H. Maruyama. W3C Recommendation, December 2002. (�폜�����܂�)

(�NjL) M. Murata, S. St.Laurent, D. Kohn. (�NjL�����܂�) (�폜) http://www.w3.org/TR/2002/REC-xmlenc-decrypt-20021210 (�폜�����܂�) (�NjL) XML Media Types (�NjL�����܂�) . (�NjL) IETF RFC 3023. URL: (�NjL�����܂�)(�NjL) http://www.ietf.org/rfc/rfc3023.txt (�NjL�����܂�).

(�폜) XML-Encryption (�폜�����܂�)

(�NjL) [XMLBASE] (�NjL�����܂�)

(�NjL) Jonathan Marsh; Richard Tobin. (�NjL�����܂�) XML (�폜) Encryption Syntax and Processing . D. Eastlake and J. Reagle. (�폜�����܂�) (�NjL) Base (Second Edition). (�NjL�����܂�) (�NjL) 28 January 2009. (�NjL�����܂�) W3C (�폜) Candidate Recommendation, December 2002. (�폜�����܂�) (�NjL) Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2009/REC-xmlbase-20090128/ (�NjL�����܂�)

(�폜) http://www.w3.org/TR/2002/CR-xmlenc-core-20020802/ (�폜�����܂�)

(�NjL) [XMLENC-BACKWARDS-COMP] (�NjL�����܂�)

(�NjL) Tibor Jager, Kenneth G. Paterson, Juraj Somorovsky. (�NjL�����܂�)(�NjL) One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography. (�NjL�����܂�) (�폜) XML-Infoset (�폜�����܂�) (�NjL) In Proceedings of the Network and Distributed System Security Symposium (NDSS), 2013. URL: (�NjL�����܂�)(�NjL) http://www.nds.ruhr-uni-bochum.de/research/publications/backwards-compatibility/ (�NjL�����܂�)

(�NjL) [XMLENC-CBC-ATTACK] (�NjL�����܂�)

(�NjL) Tibor Jager; Juraj Somorovsky. (�NjL�����܂�) (�NjL) How to Break (�NjL�����܂�) XML (�폜) Information Set . J. Cowan and R. Tobin. W3C Recommendation, October 2001 (�폜�����܂�) (�NjL) Encryption (�NjL�����܂�) (�폜) http://www.w3.org/TR/2001/REC-xml-infoset-20011024/ (�폜�����܂�) (�폜) XML-MT (�폜�����܂�) (�NjL) 17-21 October 2011. CCS�?11, ACM. URL: (�NjL�����܂�)(�NjL) http://www.nds.ruhr-uni-bochum.de/research/publications/breaking-xml-encryption/ (�NjL�����܂�)

(�NjL) [XMLENC-CBC-ATTACK-COUNTERMEASURES] (�NjL�����܂�)

(�NjL) Juraj Somorovsky, J�e�Jrg Schwenk. (�NjL�����܂�) (�폜) RFC 3023: (�폜�����܂�) (�NjL) Technical Analysis of Countermeasures against Attack on (�NjL�����܂�) XML (�폜) Media Types. M. Murata, S. St. Laurent, and D. Kohn. Informational, January 2001. (�폜�����܂�) (�NjL) Encryption - or - Just Another Motivation for Authenticated Encryption (�NjL�����܂�) (�폜) http://www.ietf.org/rfc/rfc2376.txt (�폜�����܂�) . (�NjL) 2011. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/2008/xmlsec/papers/xmlEncCountermeasuresW3C.pdf (�NjL�����܂�)

(�폜) XML-NS (�폜�����܂�)

(�NjL) [XMLENC-CORE1-CHGS] (�NjL�����܂�)

(�NjL) Frederick Hirsch. (�NjL�����܂�) (�폜) Namespaces (�폜�����܂�) (�NjL) Functional Explanation of (�NjL�����܂�) in XML (�NjL) Encryption 1.1 (�NjL�����܂�) . (�폜) T. Bray, D. Hollander, and A. Layman. W3C Recommendation, (�폜�����܂�) (�NjL) 24 (�NjL�����܂�) January (�폜) 1999. http://www.w3.org/TR/1999/REC-xml-names-19990114 (�폜�����܂�) (�NjL) 2013. W3C Working Group Note. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2013/NOTE-xmlenc-core1-explain-20130124/ (�NjL�����܂�)

(�폜) XML-schema (�폜�����܂�)

(�NjL) [XMLENC-DECRYPT] (�NjL�����܂�)

(�NjL) Takeshi Imamura; Merlin Hughes; Hiroshi Maruyama. (�NjL�����܂�) (�NjL) Decryption Transform for (�NjL�����܂�) XML (�폜) Schema Part 1: Structures (�폜�����܂�) (�NjL) Signature. (�NjL�����܂�) (�폜) D. Beech, M. Maloney, and N. Mendelsohn. (�폜�����܂�) (�NjL) 10 December 2002. (�NjL�����܂�) W3C (�폜) Recommendation, May 2001. (�폜�����܂�) (�NjL) Recommendation. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2002/REC-xmlenc-decrypt-20021210 (�NjL�����܂�)

(�폜) http://www.w3.org/TR/2001/REC-xmlschema-1-20010502/ (�폜�����܂�)

(�NjL) [XMLENC-PKCS15-ATTACK] (�NjL�����܂�)

(�NjL) Tibor Jager; Sebastian Schinzel, Juraj Somorovsky. (�NjL�����܂�) (�NjL) Bleichenbacher's Attack Strikes Again: Breaking PKCS#1.5 in (�NjL�����܂�) XML (�폜) Schema Part 2: Datatypes (�폜�����܂�) (�NjL) Encryption (�NjL�����܂�) . (�폜) P. Biron and A. Malhotra. W3C Recommendation, May 2001. (�폜�����܂�) (�NjL) 2012. In Proceedings of the 17th European Symposium on Research in Computer Security (ESO RICS). URL: (�NjL�����܂�)(�NjL) http://www.nds.rub.de/research/publications/breaking-xml-encryption-pkcs15.pdf (�NjL�����܂�)

(�폜) http://www.w3.org/TR/2001/REC-xmlschema-2-20010502/ (�폜�����܂�)

(�NjL) [XMLSEC-RELAXNG] (�NjL�����܂�)

(�NjL) Makoto Murata; Frederick Hirsch. (�NjL�����܂�) (�폜) XPath (�폜�����܂�) (�NjL) XML Security RELAX NG Schemas. (�NjL�����܂�) (�NjL) 24 January 2013. W3C Working Group Note. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2013/NOTE-xmlsec-rngschema-20130124/ (�NjL�����܂�)

(�NjL) [XMLSEC11-REQS] (�NjL�����܂�)

(�NjL) Frederick Hirsch, Thomas Roessler. (�NjL�����܂�) XML (�폜) Path Language (XPath) Version 1.0 . J. Clark (�폜�����܂�) (�NjL) Security 1.1 Requirements (�NjL�����܂�) and (�폜) S. DeRose. (�폜�����܂�) (�NjL) Design Considerations. (�NjL�����܂�) (�NjL) 24 January 2013. (�NjL�����܂�) W3C (�폜) Recommendation, October 1999. http://www.w3.org/TR/1999/REC-xpath-19991116 (�폜�����܂�) (�NjL) Working Group Note. URL: (�NjL�����܂�)(�NjL) http://www.w3.org/TR/2013/NOTE-xmlsec-reqs-20130124/ (�NjL�����܂�)