템플릿파일을 이용해 Element를 암호화하는 방법에 대해 설명한다.
[session-key-template.xml]
<?xml version="1.0" encoding="UTF-8"?>
<!--
XML Security Library example: Original XML
doc file before encryption (encrypt3 example).
-->
<EncryptedData
xmlns="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>
기본적으로 주어진 템플릿이다. 이 템플릿파일을 참조하여 암호화가 이루어진다. 빨간색으로 체크한 Element를 Content로 바꾸고 알고리즘도 바꿀 수 있다.
$ xmlsec1 encrypt --pubkey-pem pub-userkey.pem --session-key des-192 --xml-data doc-plain.xml --output doc-encrypted-xpath.xml --node-xpath '/PayInfo/CreditCard/Number/text()' session-key-template.xml
xpath를 위와 같이 기술하지 않고, 아래와 같이 기술해도 Content만 암호화 된다.
$ xmlsec1 encrypt --pubkey-pem pub-userkey.pem --session-key des-192 --xml-data doc-plain.xml --output doc-encrypted-xpath.xml --node-xpath /PayInfo/CreditCard session-key-template.xml
엘리먼트의 암호화 with tripledes-cbc
<?xml version="1.0" encoding="utf-8"?>
<PayInfo>
<Name>John Smith</Name>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue>ZSPtQuDCvcJWUPVk2n6fb7SPlK3XamG3wTjZoz4XEzDapxIR4qVOF+O0ggK311tt
M3GH/X9GvPPfn/eOKLLfwNvYKZPXzN1t1RUYZWlOl4WY8+80pwi38yFWuRWC8+Ax
yVZEDQY094uFxK+e2c1YsQ1chvjQKtNvO88O+Ii7bwA=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>m9RhRpntZH70NseF2JdPsiKtW2mnDXjS6qHJm5NJLUuUh0ENnkcy86QFUgy1R9tX
xjTM81qvQWL8XY/WzER3Oki3TLzOh31w0CcdNUpIyMaVRRoUMD3mWsAdhH5vCgiJ
qSSs3t77H1cURAaFcCSxNdpHZNHy7mPiLeoY+Xp6v5inwvQe6HiGCLz31I7TkDqv
OjxMqY0cG7lY4LOLU90FN6lTcW6DRsCvJKmFPb6n3Ss=</CipherValue>
</CipherData>
</EncryptedData>
</PayInfo>
알고리즘을 바꾸고 Element를 Content로 바꾼 결과이다.
$ xmlsec1 encrypt --pubkey-pem pub-userkey.pem --session-key aes-256 --xml-data doc-plain.xml --output doc-encrypted-xpath.xml --node-xpath /PayInfo/CreditCard template.xml
엘리먼트 콘텐츠(엘리먼트) 암호화 with aes256-cbc
<?xml version="1.0" encoding="utf-8"?>
<PayInfo>
<Name>John Smith</Name>
<CreditCard Limit="2,000" Currency="USD"><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue>lZ9TlXNe0NeZXE46C6meDspgTMsnvZwgkDpKSaKDiAQ/KSJ0P4acuxnN7saI6XIW
XzX8eqQPztF8sQyw65rUCJuAaHw0BcKOZ21QpNVL74OU5jYv/Fh/kI2srEEsjz5b
lFmRWSp1mSxb27N3WqB+KsEpZWazAA2KCNpP/80C/To=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>nOcInRsN4z/MMwjyKR67X6IqWUfq7VgDefQHy5Q4uSsISm6kMSmVEFxH2IIVVZTU
QYzY5ABu4LeeosSE9Y/eplgV0u80V5vT2ddSR9YzwW97Lnn59hbN8bNOdjYsrbw0
4DK7HOTqxFyCrXIcqsZaokNDt+z1lw/kKrYXKFd02Y7GPwzw0b1O6nD5FvS8+jI3</CipherValue>
</CipherData>
</EncryptedData></CreditCard>
</PayInfo>
여기서 EncrytionMethod가 두번 나오는데, tripledes나 aes256의 키값을 생성할 때 사용되는 알고리즘이 rsa-1.5이고, 해당 키를 이용해 대칭키 암호화(tripledes-cbc, aes256-cbc)가 일어난다.
[session-key-template.xml]
<?xml version="1.0" encoding="UTF-8"?>
<!--
XML Security Library example: Original XML
doc file before encryption (encrypt3 example).
-->
<EncryptedData
xmlns="http://www.w3.org/2001/04/xmlenc#"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm=
"http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue/>
</CipherData>
</EncryptedData>
기본적으로 주어진 템플릿이다. 이 템플릿파일을 참조하여 암호화가 이루어진다. 빨간색으로 체크한 Element를 Content로 바꾸고 알고리즘도 바꿀 수 있다.
$ xmlsec1 encrypt --pubkey-pem pub-userkey.pem --session-key des-192 --xml-data doc-plain.xml --output doc-encrypted-xpath.xml --node-xpath '/PayInfo/CreditCard/Number/text()' session-key-template.xml
xpath를 위와 같이 기술하지 않고, 아래와 같이 기술해도 Content만 암호화 된다.
$ xmlsec1 encrypt --pubkey-pem pub-userkey.pem --session-key des-192 --xml-data doc-plain.xml --output doc-encrypted-xpath.xml --node-xpath /PayInfo/CreditCard session-key-template.xml
엘리먼트의 암호화 with tripledes-cbc
<?xml version="1.0" encoding="utf-8"?>
<PayInfo>
<Name>John Smith</Name>
<EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue>ZSPtQuDCvcJWUPVk2n6fb7SPlK3XamG3wTjZoz4XEzDapxIR4qVOF+O0ggK311tt
M3GH/X9GvPPfn/eOKLLfwNvYKZPXzN1t1RUYZWlOl4WY8+80pwi38yFWuRWC8+Ax
yVZEDQY094uFxK+e2c1YsQ1chvjQKtNvO88O+Ii7bwA=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>m9RhRpntZH70NseF2JdPsiKtW2mnDXjS6qHJm5NJLUuUh0ENnkcy86QFUgy1R9tX
xjTM81qvQWL8XY/WzER3Oki3TLzOh31w0CcdNUpIyMaVRRoUMD3mWsAdhH5vCgiJ
qSSs3t77H1cURAaFcCSxNdpHZNHy7mPiLeoY+Xp6v5inwvQe6HiGCLz31I7TkDqv
OjxMqY0cG7lY4LOLU90FN6lTcW6DRsCvJKmFPb6n3Ss=</CipherValue>
</CipherData>
</EncryptedData>
</PayInfo>
알고리즘을 바꾸고 Element를 Content로 바꾼 결과이다.
$ xmlsec1 encrypt --pubkey-pem pub-userkey.pem --session-key aes-256 --xml-data doc-plain.xml --output doc-encrypted-xpath.xml --node-xpath /PayInfo/CreditCard template.xml
엘리먼트 콘텐츠(엘리먼트) 암호화 with aes256-cbc
<?xml version="1.0" encoding="utf-8"?>
<PayInfo>
<Name>John Smith</Name>
<CreditCard Limit="2,000" Currency="USD"><EncryptedData xmlns="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
<EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<KeyName/>
</KeyInfo>
<CipherData>
<CipherValue>lZ9TlXNe0NeZXE46C6meDspgTMsnvZwgkDpKSaKDiAQ/KSJ0P4acuxnN7saI6XIW
XzX8eqQPztF8sQyw65rUCJuAaHw0BcKOZ21QpNVL74OU5jYv/Fh/kI2srEEsjz5b
lFmRWSp1mSxb27N3WqB+KsEpZWazAA2KCNpP/80C/To=</CipherValue>
</CipherData>
</EncryptedKey>
</KeyInfo>
<CipherData>
<CipherValue>nOcInRsN4z/MMwjyKR67X6IqWUfq7VgDefQHy5Q4uSsISm6kMSmVEFxH2IIVVZTU
QYzY5ABu4LeeosSE9Y/eplgV0u80V5vT2ddSR9YzwW97Lnn59hbN8bNOdjYsrbw0
4DK7HOTqxFyCrXIcqsZaokNDt+z1lw/kKrYXKFd02Y7GPwzw0b1O6nD5FvS8+jI3</CipherValue>
</CipherData>
</EncryptedData></CreditCard>
</PayInfo>
여기서 EncrytionMethod가 두번 나오는데, tripledes나 aes256의 키값을 생성할 때 사용되는 알고리즘이 rsa-1.5이고, 해당 키를 이용해 대칭키 암호화(tripledes-cbc, aes256-cbc)가 일어난다.
댓글 달기