asked on

Am I reading the XML correctly?

I want to make sure what I am doing is correct. I get this XML response:

<s:Envelope 
        xmlns:s="http://www.w3.org/2003/05/soap-envelope" 
        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <s:Header>
            <VsDebuggerCausalityData 
                xmlns="http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink">uIDPo4tYpt6X40FEk+VSAe5mc8MAAAAAP497cBuXfk+uFIOY80O0iuLtIW56q7hLktgVYPhbnHMACQAA
            </VsDebuggerCausalityData>
            <o:Security s:mustUnderstand="1" 
                xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <o:BinarySecurityToken u:Id="uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">MIIF+TCCBOGgAwIBAgIQIWv3OdE866kXP/....t</o:BinarySecurityToken>
                <e:EncryptedKey Id="_0" 
                    xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" 
                            xmlns="http://www.w3.org/2000/09/xmldsig#" />
                    </e:EncryptionMethod>
                    <KeyInfo 
                        xmlns="http://www.w3.org/2000/09/xmldsig#">
                        <o:SecurityTokenReference>
                            <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">j0ZKFBmTz3Kj0cQ82rq63MYAR+0=</o:KeyIdentifier>
                        </o:SecurityTokenReference>
                    </KeyInfo>
                    <e:CipherData>
                        <e:CipherValue>ANCElFZ5v....==</e:CipherValue>
                    </e:CipherData>
                    <e:ReferenceList>
                        <e:DataReference URI="#_2" />
                    </e:ReferenceList>
                </e:EncryptedKey>
                <Signature 
                    xmlns="http://www.w3.org/2000/09/xmldsig#">
                    <SignedInfo>
                        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                        <Reference URI="#_1">
                            <Transforms>
                                <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                            </Transforms>
                            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                            <DigestValue>akiomlPdi6j1h6r9NDqmh9G1GD0=</DigestValue>
                        </Reference>
                    </SignedInfo>
                    <SignatureValue>LIjqWD/BXsoA0XNR7hv...==</SignatureValue>
                    <KeyInfo>
                        <o:SecurityTokenReference>
                            <o:Reference ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" URI="#uuid-10490fb0-8ee0-4a4c-a8db-77242c9a3b7f-2" />
                        </o:SecurityTokenReference>
                    </KeyInfo>
                </Signature>
            </o:Security>
        </s:Header>
        <s:Body u:Id="_1">
            <e:EncryptedData Id="_2" Type="http://www.w3.org/2001/04/xmlenc#Content" 
                xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
                <e:CipherData>
                    <e:CipherValue>3kESnJnhc8K.....</e:CipherValue>
                </e:CipherData>
            </e:EncryptedData>
        </s:Body>
    </s:Envelope>

Open in new window

The encrypted key is = Header > Security > EncryptedKey > CipherData > CipherValue. So it would be ANCElFZ5v....==
The body is Body > EncryptedData > CipherData > CipherValue. So it would be 3kESnJnhc8K.....

Is this right? Or am I missing something. Do I need anything else from the XML to decrypt the message. If I have these two values I should be able to decrypt the message right?

mccarl

If I have these two values I should be able to decrypt the message right?

There wouldn't be much point encrypting it if the key was right there along send the encrypted data ;-)

Do I need anything else from the XML to decrypt the message

Not quite. You do need something else, but it is not located in the XML (again, otherwise there is no point).

Ok, so this is all a little confusing because the word Key is used for a couple of different purposes. Let's run through it a bit and hopefully it will become clearer...

So you have your EncryptedData (in the Body), this has been encrypted by a Symmetric encryption (symmetric because the same key is used for encryption and decryption) using a key, say SK_ABC. To decrypt it, you need to SK_ABC but as above there is no point just including that in the XML, then everyone would be able to decrypt it.

So then SK_ABC key itself gets encrypted too. This time by an Asymmetric encryption using the "public" part of the key pair, say PubK_XYZ. This is the data in the EncryptedKey/CipherData section.

Ok, so what do we do know that you have received this message. The first thing you need to do it to "decrypt" the key SK_ABC, but to do this you need the "private" part of the key pair that was used to encrypt it, call it PrivK_XYZ. And this is the point to all of this... only YOU know what that key is, the key pair PK_XYZ would have been generated by YOURSELF, and then you give out JUST the public part of it PubK_XYZ to anyone that wants to send you a message (usually in the form of a "certificate"). You might have generated lots of these, so how do you know which one to use... that's where EncryptedKey/KeyInfo/../KeyIdentifier comes in. This value should match the identifier of the key pair that you generated so that you can then look up the private key PrivK_XYZ.

So you now have PrivK_XYZ, you decrypt the EncryptedKey/CipherData section with it to obtain SK_ABC. You then use that to decrypt your EncryptedData to get the original plain data.

Hope that helps, but I know that it is pretty full on, so let me know if you want me to go into more detail anywhere.

HItesh Rana

ASKER

Thank you for the detailed response. What you said above aligns to what I was thinking. So I have been struggling for the past couple of weeks of trying to decrypt a SOAP message I get from calling a Java web service. I'm using C# to consume it. I noticed you have some Java experience, so maybe you have some insight into my problem. I posted this question earlier this week. Where I'm i'm stuck on step 1 one of decrypting the key. The funny thing is that the certificate works in SOAP UI but does not work in .NET. The only difference is that in SOAP UI i had to convert the file to a jks file.

https://www.experts-exchange.com/questions/29094730/Decrypt-encrypted-key-using-Certificate-not-working-in-NET-but-works-in-SOAP-UI.html

Here is another post where I show you how I'm trying to decrypt the SOAP body
https://www.experts-exchange.com/questions/29094171/Decrypt-encrypted-key-from-SOAP-message.html

Since you are a Java Developer should I be aware of something or do something different in .NET. Thanks for all your help. At least I know I'm going down the right track.

This question needs an answer!

Become an EE member today

7 DAY FREE TRIAL

Members can start a 7-Day Free trial then enjoy unlimited access to the platform.

View membership options

Learn why we charge membership fees

We get it - no one likes a content blocker. Take one extra minute and find out why we block content.