1. September 13, 2006 Robert Richards rrichards@php.net
XML Security
September 13, 2006
Robert Richards

2. Digital Signatures and Encryption
Canonicalization
A standard form of data
Digital Signatures
Provides proof of identity and authenticity which the sender cannot deny.
Encryption
Protection of data from being accessed by unauthorized parties.

3. Existing Tools/Technologies
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
Pretty Good Privacy (PGP)
GNU Privacy Guard (GnuPG)
OpenPGP
S/MIME
x.509

4. XML Security Standards
Canonical XML
Exclusive XML Canonicalization
XML Signature
XML Encryption
XML Key Management

5. Transmitting Data Over SSL/TLS

6. XML Security in PHP
A library based on the xmlsec library is currently in the works
Provides granular control for working with XML Digital Signatures and XML Encryption
PHP based libraries are available
Model libraries for designing xmlsec wrapper
Not officially mainitained and may not be backwards compatible with xmlsec based extension
Requires PHP 5.1+ (5.2 is recommended)
Requires DOM, OpenSSL and Mcrypt

7. Benefits of XML Security Standards
XML is a structured format
Allows for secure storage of documents
Leverages existing technologies
Provides granularity

8. XML Canonicalization
A standard serialization of an XML document or XPath node set
<data a="1" b="2" c="3"/>
<data b="2" c="3" a="1"/>
<data c="3" a="1" b="2"></data>
<data c="3" a="1"
b="2"></data>
<data a="1" b="2" c="3"></data>

9. Canonical XML (C14N) XML declaration and DTD are removed
XML declaration and DTD are removed
The document is encoded in UTF-8
Line breaks normalized to #xA (linefeed) on input, before parsing
Empty elements are converted to start-end tag pairs
Whitespace outside of the document element and within start and end tags is normalized
Attribute value delimiters are set to double quotes
Superfluous namespace declarations are removed from each element
Lexicographic order is imposed on the namespace declarations and attributes of each element

10. Canonical XML Example #1
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<!-- Comment -->
<doc>
<e1 a:attr='out' b:attr='sorted' attr2='all' attr="I'm"
xmlns:b=' xmlns:a="
xmlns="
<e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</e2>
</doc>
Canonical Form of Document (uncommented)
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<doc>
<e1 xmlns=" xmlns:a=" xmlns:b=" attr="I'm" attr2="all" b:attr="sorted" a:attr="out"></e1>
<e2 xmlns:a="
<e3></e3>
</e2>
</doc>

11. Canonical XML Example #1
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<!-- Comment -->
<doc>
<e1 a:attr='out' b:attr='sorted' attr2='all' attr="I'm"
xmlns:b=' xmlns:a="
xmlns="
<e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</e2>
</doc>
Canonical Form of Document (uncommented)
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<doc>
<e1 xmlns=" xmlns:a=" xmlns:b=" attr="I'm" attr2="all" b:attr="sorted" a:attr="out"></e1>
<e2 xmlns:a="
<e3></e3>
</e2>
</doc>

12. Canonical XML Example #1
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<!-- Comment -->
<doc>
<e1 a:attr='out' b:attr='sorted' attr2='all' attr="I'm"
xmlns:b=' xmlns:a="
xmlns="
<e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</e2>
</doc>
Canonical Form of Document (uncommented)
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<doc>
<e1 xmlns=" xmlns:a=" xmlns:b=" attr="I'm" attr2="all" b:attr="sorted" a:attr="out"></e1>
<e2 xmlns:a="
<e3></e3>
</e2>
</doc>

13. Canonical XML Example #1
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<!-- Comment -->
<doc>
<e1 a:attr='out' b:attr='sorted' attr2='all' attr="I'm"
xmlns:b=' xmlns:a="
xmlns="
<e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</e2>
</doc>
Canonical Form of Document (uncommented)
<?xml-stylesheet href="doc.xsl" type="text/xsl" ?>
<doc>
<e1 xmlns=" xmlns:a=" xmlns:b=" attr="I'm" attr2="all" b:attr="sorted" a:attr="out"></e1>
<e2 xmlns:a="
<e3></e3>
</e2>
</doc>

14. Canonical XML Example #2
<?xml version="1.0" encoding="UTF-8"?>
<doc xmlns:d="
xmlns:c="
<e1 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
xmlns:b=" xmlns:a="
xmlns="
<d:e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</d:e2>
</doc>
Canonical Form of Nodeset (uncommented)
(//. | | //namespace::*)[ancestor-or-self::d:e2]
<d:e2 xmlns:a=" xmlns:c="
xmlns:d="
<e3></e3>
</d:e2>

15. Canonical XML Example #2
<?xml version="1.0" encoding="UTF-8"?>
<doc xmlns:d="
xmlns:c="
<e1 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
xmlns:b=" xmlns:a="
xmlns="
<d:e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</d:e2>
</doc>
Canonical Form of Nodeset (uncommented)
(//. | | //namespace::*)[ancestor-or-self::d:e2]
<d:e2 xmlns:a=" xmlns:c="
xmlns:d="
<e3></e3>
</d:e2>

16. Canonical XML Example #2
<?xml version="1.0" encoding="UTF-8"?>
<doc xmlns:d="
xmlns:c="
<e1 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
xmlns:b=" xmlns:a="
xmlns="
<d:e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</d:e2>
</doc>
Canonical Form of Nodeset (uncommented)
(//. | | //namespace::*)[ancestor-or-self::d:e2]
<d:e2 xmlns:a=" xmlns:c="
xmlns:d="
<e3></e3>
</d:e2>

17. Problem with Re-Enveloping
<d:e2 xmlns:d="
<!-- Document wrapped within ns0:e1 element -->
<ns0:e1 xmlns:ns0="
</ns0:e1>
<!-- Canonical Form -->
<d:e2 xmlns:d="
xmlns:ns0="
<!-- Document wrapped within ns1:e1 element -->
<ns1:e1 xmlns:ns0="
</ns1:e1>
xmlns:ns1="

18. Exclusive XML Canonicalization
Follows the same rules as Canonical XML, except…
Attributes in the xml namespace are not imported into orphan nodes
Namespaces not specially told to be added are only added on the starting element for which they are visible and not currently in scope within the output.

19. Re-Enveloping using Exclusive
<d:e2 xmlns:d="
<!-- Document wrapped within ns0:e1 element -->
<ns0:e1 xmlns:ns0="
</ns0:e1>
<!-- Canonical Form -->
<!-- Document wrapped within ns1:e1 element -->
<ns1:e1 xmlns:ns0="
</ns1:e1>

20. Exclusive Canonical XML Example
<?xml version="1.0" encoding="UTF-8"?>
<doc xmlns:d="
xmlns:c="
<e1 a:attr="out" b:attr="sorted" attr2="all" attr="I'm"
xmlns:b=" xmlns:a="
xmlns="
<d:e2 xmlns="" xmlns:a="
<e3 xmlns="" xmlns:a="
</d:e2>
</doc>
Exclusive Canonical Form of Nodeset (uncommented)
(//. | | //namespace::*)[ancestor-or-self::d:e2]
<d:e2 xmlns:d="
<e3></e3>
</d:e2>

21. XML Digital Signature (XMLDSIG)
Insure that a message has not been altered or tampered with. (integrity)
Protection against attacks that alter a message but maintain integrity. (message authentication)
Provide a means for message auditing so that messages may not be repudiated. (signer authenticity)

22. XML Signature Structure
xmlns="
<Signature>
<SignedInfo>
<CanonicalizationMethod/>
<SignatureMethod/>
(<Reference URI? >
(<Transforms>)?
<DigestMethod>
<DigestValue>
</Reference>)+
</SignedInfo>
<SignatureValue>
(<KeyInfo>)?
(<Object Id?>)*
</Signature>

23. XML Signature: Types of Signatures
Enveloping Signature
Data lives within the XML Signature structure
Good for signing data being packaged within an XML payload
Enveloped Signature
Data lives outside of and contains the XML Signature structure
Good for signing portions or all of an XML document
Detached Signature
Data lives outside and DOES NOT contain the XML Signature structure
Data may reside at a remote location addressable by URI

24. Enveloping Signature <?xml version="1.0"?>
<Signature xmlns="
<SignedInfo>
<CanonicalizationMethod
Algorithm="
<SignatureMethod
Algorithm="
<Reference URI="#myobj">
<DigestMethod Algorithm="
<DigestValue>C2g9BLcGyGPCVKuF2byR1Ym+6pE=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>+R/XEOHDvR/jbmmpiuH4ZcRqC6c=</SignatureValue>
<Object Id="myobj">Hello World!</Object>
</Signature>

25. Enveloped Signature <?xml version="1.0"?> <Envelope>
<Data>content</Data>
<Signature xmlns="
<SignedInfo>
<CanonicalizationMethod Algorithm="
<SignatureMethod Algorithm="
<Reference>
<Transforms>
<Transform
Algorithm="
</Transforms>
<DigestMethod Algorithm="
<DigestValue>MMMkB0ZPp82XrUvJMFqDIEuXy0o=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>mVPvfcVSXi9elKL+IcSCAzD4Jbk=</SignatureValue>
</Signature></Envelope>

26. Detached Signature <?xml version="1.0"?>
<Signature xmlns="
<SignedInfo>
<CanonicalizationMethod
Algorithm="
<SignatureMethod
Algorithm="
<Reference URI="
<DigestMethod Algorithm="
<DigestValue>oLZZOWcLwsAQ9NXWoLPk5FkPuSs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>O9ykpFMXmkddzJ3CySrpzHBUW/Q=</SignatureValue>
</Signature>

27. XML Signature Generation
Apply any transforms to the data
Calculate the digest value
Create the Reference Element
Repeat steps 1 – 3 for each piece of data to be included
Create SignedInfo element with SignatureMethod, CanonicalizationMethod and Reference elements
Canonicalize the SignedInfo element
Calculate the SignatureValue over the canonicalized SignedInfo based the SignatureMethod
Assemble the Signature element

28. SOAP Request <SOAP-ENV:Envelope <SOAP-ENV:Body>
xmlns:SOAP-ENV="
xmlns:ns1="
xmlns:xsd="
xmlns:xsi="
<SOAP-ENV:Body>
<ns1:getLocation>
<address>tel: </address>
<requestedAccuracy xsi:type="xsd:int">xx</requestedAccuracy>
<acceptableAccuracy xsi:type="xsd:int">yy</acceptableAccuracy>
</ns1:getLocation>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

29. SOAP Request: WS-Security (Signature)
<soapenv:Envelope ...>
<soapenv:Header>
<wsse:Security xmlns:wsse=" . ." soapenv:mustunderstand="1">
<wsse:BinarySecurityToken . . .>MIIE3zCCBEigAwIBAg . . .</wsse:BinarySecurityToken>
<ds:Signature xmlns:ds="
<ds:SignedInfo>
<ds:SignatureMethod Algorithm="
<ds:CanonicalizationMethod Algorithm="
<ds:Reference URI="#9b6c55bc-558f-e61a-e99a-ee2084f22000">. . .</ds:Reference>
<ds:Reference URI="#c359df d587-18af-add2c0dc1ddb">. . .</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>Yd1TGIjOb3q4UcQkUBuM3Q6Zs3G...</ds:SignatureValue>
<ds:KeyInfo>. . .</ds:KeyInfo>
</ds:Signature>
<wsu:Timestamp xmlns:wsu=" ." wsu:Id="9b6c55bc-558f-e61a-e99a-ee2084f22000">
</wsse:Security>
</soapenv:Header>
<soapenv:Body xmlns:wsu=" . ." wsu:Id="c359df d587-18af-add2c0dc1ddb">

30. SOAP Request: WS-Security Generation
require('soap-wsse.php');
define('PRIVATE_KEY', 'private_key.pem');
define('CERT_FILE', 'cert.pem');
class mySoap extends SoapClient {
public function __doRequest($request, $location, $saction, $version) {
$doc = new DOMDocument('1.0');
$doc->loadXML($request);
/* WS-Security Specific code here */
return parent::__doRequest($wsseRequest, $location, $saction, $version); }

31. SOAP Request: WS-Security Generation
$objWSSE = new WSSESoap($doc->loadXML($request));
/* add Timestamp with default expiration timestamp */
$objWSSE->addTimestamp();
/* $objWSSE->addUserToken('username', 'password', TRUE); */
/* create new XMLSec Key using RSA SHA-1 and type is private key */
$objKey = new XMLSecurityKey(XMLSecurityKey::RSA_SHA1, array('type'=>'private'));
/* load private key from file - last arg is bool if key in file (TRUE) or is string (FALSE) */
$objKey->loadKey(PRIVATE_KEY, TRUE);
/* Sign the message - also signs appropraite WS-Security items */
$objWSSE->signSoapDoc($objKey);
/* Add certificate (BinarySecurityToken) to the message and attach pointer to Signature */
$token = $objWSSE->addBinaryToken(file_get_contents(CERT_FILE));
$objWSSE->attachTokentoSig($token);
$wsseRequest = $objWSSE->saveXML();

32. SOAP Request: signSoapDoc()
$objDSig = new XMLSecurityDSig();
$objDSig->setCanonicalMethod(XMLSecurityDSig::EXC_C14N);
$arNodes = array();
/* $this->secNode refers to wsse:Security node within tree */
foreach ($this->secNode->childNodes AS $node) {
if ($node->nodeType == XML_ELEMENT_NODE)
$arNodes[] = $node; }
foreach ($this->envelope->childNodes AS $node) {
if ($node->namespaceURI == $this->soapNS && $node->localName == 'Body') {
break;
$arOptions = array('prefix'=>WSSESoap::WSUPFX, 'prefix_ns'=>WSSESoap::WSUNS);
$objDSig->addReferenceList($arNodes, XMLSecurityDSig::SHA1, NULL, $arOptions);
$objDSig->sign($objKey);
$objDSig->appendSignature($this->secNode, TRUE);

33. XML Signature Validation
Obtain the verification keying information
Apply the CanonicalizationMethod to the SignedInfo element
Verify the SignatureValue using the canonical form of the SignatureMethod
For each Reference element within SignedInfo:
Obtain the data to be digested
Digest the data using the DigestMethod within its Referece element
Compare the computed value to that of the un-encoded value from the DigestValue element

34. XML Encryption (XMLENC)
Encrypted data is maintained.
All information needed to decrypt a document is contained within the document.
Session can be secured on the document level and shared between multiple parties.
Sensitive data is easily interchanged between applications.

35. XML Encryption Structure
xmlns:enc="
<enc:EncryptedData Id? Type? MimeType?>
<enc:EncryptionMethod Algorithm />?
<dsig:KeyInfo>?
<enc:CipherData>
<enc:CipherValue>?
<enc:CipherReference URI?>?
</enc:CipherData>
<enc:EncryptionProperties>?
</enc:EncryptedData>

36. XML Encryption: Encrypting
Select the algorithm (and parameters) to use in encrypting the item.
Obtain the key and create ds:KeyInfo if necessary
Encrypt the data and prepend any appropriate initialization vector (IV).
Build CipherData element
If to be stored within CipherValue element, then encrypted data is base64 encoded.
If encrypted data is external, then create CipherReference with URI and any transforms.
Build EncryptedData or EncryptedKey structure

37. XML Encryption Example
<payment>
<order_number>1001</order_number>
<customer>Joe Smith</customer>
<creditcard>
<number> </number>
<expiration_month>01</expiration_month>
<expiration_year>2007</expiration_year>
<ccv2>123</ccv2>
</creditcard>
</payment>

38. XML Encryption Example Element / Shared Secret Key
<?xml version="1.0"?>
<payment>
<order_number>1001</order_number>
<customer>Joe Smith</customer>
<EncryptedData xmlns="
Type="
<EncryptionMethod
Algorithm="
<CipherData>
<CipherValue>C5X1I65RCX…</CipherValue>
</CipherData>
</EncryptedData>
</payment>

39. XML Encryption Example: Code
require('xmlseclibs.php');
/* Using a shared secret key for encryption */
$key = 'secret';
$doc = new DOMDocument();
$xpath = new DOMXPath($doc ->load('payment.xml'));
$creditcard = $xpath->query("//creditcard")->item(0);
$enc = new XMLSecEnc();
$enc->setNode($creditcard);
$enc->type = XMLSecEnc::Element;
/* Use the libraries to encrypt the credit card element within the document */
$objKey = new XMLSecurityKey(XMLSecurityKey::TRIPLEDES_CBC);
$objKey->loadKey($key);
$encNode = $enc->encryptNode($objKey);
print $encNode->ownerDocument->saveXML();

40. XML Encryption Example Element Content / Shared Secret Key
<?xml version="1.0"?>
<payment>
<order_number>1001</order_number>
<customer>Joe Smith</customer>
<creditcard><EncryptedData
xmlns="
Type="
<EncryptionMethod
Algorithm="
<CipherData>
<CipherValue>C5X1I65RCX…</CipherValue>
</CipherData>
</EncryptedData></creditcard>
</payment>

41. XML Encryption Example Arbitrary Data with Shared Secret Key
<?xml version='1.0'?>
<EncryptedData xmlns='
xmlns:ds='
MimeType='text/xml'>
<CipherData>
<CipherValue>...C5X1I65RCX...</CipherValue>
</CipherData>
</EncryptedData>

42. XML Encryption: Decrypting
Determine encryption algorithm and parameters.
Obtain the decryption key information.
Obtain the data to decrypt.
If CipherData has a CipherValue child then base-64 decode its contents.
If CipherData has a CipherReference child, retrieve the data and apply any Transforms.
Depending upon algorithm and parameters, strip any IV from the data to use for decryption.
Decrypt the cipher data with the encryption algorithm, parameters, and keying material.

43. XML Encryption: Decrypting Example (Infocard)
<EncryptedData xmlns="
Type="
<EncryptionMethod Algorithm="
<KeyInfo xmlns="
<e:EncryptedKey xmlns:e="
<e:EncryptionMethod Algorithm="
<DigestMethod Algorithm="
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="…/oasis wss-wssecurity-secext-1.0.xsd">
. . .</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>kXja26CSDKssMeqJcsJttLg…</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
<CipherData><CipherValue>eIreM+S35Q+=…</CipherValue></CipherData>
</EncryptedData>

44. XML Encryption: Code (Infocard)
require('xmlseclibs.php');
define('PRIVATE_KEY', 'site_sslprivate.key');
define('SAML_ASSERT_NS', 'urn:oasis:names:tc:SAML:1.0:assertion');
$encdom = new DOMDocument();
$encdom->loadXML($xmlToken);
$objenc = new XMLSecEnc();
$encData = $objenc->locateEncryptedData($encdom);
if (! $encData) {
throw new Exception("Cannot locate Encrypted Data"); }
$objenc->setNode($encData);
$objenc->type = $encData->getAttribute("Type");

45. XML Encryption: Code (Infocard)
$key = NULL;
$objKey = $objenc->locateKey();
if ($objKey)
if ($objKeyInfo = $objenc->locateKeyInfo($objKey))
if ($objKeyInfo->isEncrypted) {
$objencKey = $objKeyInfo->encryptedCtx;
$objKeyInfo->loadKey(PRIVATE_KEY, TRUE);
$key = $objencKey->decryptKey($objKeyInfo); }
if (empty($objKey) || empty($key))
throw new Exception("Error loading key to handle Decryption");
$objKey->loadKey($key);
$token = NULL;
if ($decrypt = $objenc->decryptNode($objKey, FALSE)) {
$token = new DOMDocument();
$token->loadXML($decrypt);

46. XML Encryption: Code (Infocard)
<saml:Assertion ... AssertionID="uuid: c534-42d9-a6f6-4bb1c32d0de7">
<!-- SAML related information -->
<Signature xmlns="
<SignedInfo>
<CanonicalizationMethod Algorithm="
<SignatureMethod Algorithm="
<Reference URI="#uuid: c534-42d9-a6f6-4bb1c32d0de7">
<Transforms> </Transforms>
<DigestMethod Algorithm="
<DigestValue>eHLrK4QSEkrDhHXZYHgGJMkPAU4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>0uDR9pr/TusV...</SignatureValue>
<KeyInfo><KeyValue>
<RSAKeyValue>
<Modulus>8llAGAvlPuG...</Modulus>
<Exponent>AQAB</Exponent>
</RSAKeyValue>
</KeyValue></KeyInfo>
</Signature>

47. XML Encryption: Code (Infocard)
/* Validate the SAML token */
$objXMLSecDSig = new XMLSecurityDSig();
$objXMLSecDSig->idKeys[] = 'AssertionID';
$objDSig = $objXMLSecDSig->locateSignature($token);
/* Canonicalize the signed info */
$objXMLSecDSig->canonicalizeSignedInfo();
$retVal = NULL;
if ($objDSig) { $retVal = $objXMLSecDSig->validateReference(); }
if (! $retVal) { throw new Exception("SAML Validation Failed"); }
$objKey = $objXMLSecDSig->locateKey();
/* Additional Key handling here */
if (empty($objKey)) throw new Exception("Error loading key to handle Signature");
if (! $objXMLSecDSig->verify($objKey))
throw new Exception("Unable to validate Signature");

48. Signing and Encrypting
Sign and then Encrypt
Provides signature protection
Allows for encryption algorithm to be changed without affecting signature
Incurs additional overhead as you must decrypt before you can verify
Encrypt and then Sign
Immediately know if data has been tampered with
Document can no longer be shared with other parties without revealing decryption key
Sender identity is revealed

49. Questions?

50. XML Encryption in WS-Security
<env:Envelope
xmlns:env="
xmlns:xenc="
<env:Header>
<wsse:Security
xmlns:wsse="
<xenc:ReferenceList>
<xenc:DataReference URI="#encryptedID"/>
</xenc:ReferenceList>
</wsse:Security>
</env:Header>
<env:Body>
<xenc:EncryptedData Id="encryptedID">
<xenc:CipherData>
<xenc:CipherValue>...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</env:Body>
</env:Envelope>

51. XML Signature using Digital Certificate
<Envelope xmlns="urn:envelope">
<Data>
Hello, World!
</Data>
<Signature xmlns="
<SignedInfo>
<CanonicalizationMethod Algorithm="
<SignatureMethod Algorithm="
<Reference>
<Transforms>
<Transform Algorithm="
</Transforms>
<DigestMethod Algorithm="
<DigestValue>HjY8ilZAIEM2tBbPn5mYO1ieIX4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>SIaj/6KY3C . . .</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIE3zCCBEjAUB </X509Certificate>
</X509Data>
</KeyInfo>
</Signature></Envelope>

52. XML Encryption w/ Digital Certificate
<EncryptedData xmlns="
Type="
<EncryptionMethod
Algorithm="
<KeyInfo xmlns="
<EncryptedKey xmlns="
<EncryptionMethod Algorithm="
<KeyName>rsakey.pem</KeyName>
</KeyInfo>
<CipherData>
<CipherValue>IPiEu9Nv+EsGyvV . . .</CipherValue>
</CipherData>
</EncryptedKey>
<CipherValue>xrfPSA+BEI </CipherValue>
</EncryptedData>