2

I was reading the XML Encryption standard and I have some trouble understanding the purpose of encrypting some plain text with a symmetric generated AES or 3DES key that in turn gets encrypted with the public RSA key of the recipient.

If an attacker gets the private key of the recipient and has the network traffic recorded then he or she can decrypt the AES key and then the plaintext encrypted with the AES key. In TLS or in Signal the symmetric key gets negotiated with DH and does not travel encrypted over the wire giving the connection forward secrecy.

Why should I encrypt the symmetric key with the asymmetric one? Does increase confidentiality or performance? When should I use this double encryption?

Thank you

Improve this question

    3 Answers 3

    Reset to default
    4

    Why should I encrypt the symmetric key with the asymmetric one? Does increase confidentiality or performance? When should I use this double encryption?

    You need to do the symmetric encryption because the maximum size of data RSA can encrypt is restricted by the size of its modulus minus some padding. For example a 1024-bit RSA key can only encrypt data that is at most 117-bytes long. Anything larger than that, you would have needed to split the data into modulus-sized blocks (which also open up a number of other cryptographic issues) or use even larger key (and RSA gets slow very quickly as the key size increases).

    Diffie Hellman is a key agreement protocol, it can only work if both side are connected to each other to exchange some data when the document is being encrypted. The use case in document encryption system like XML Encryption is usually that you are creating a document which can be stored and read at a later date by the recipient, and either side may never be online at the same time when generating/reading the document. This is also why Forward Secrecy is irrelevant for document encryption, as you generally want to be able to read the document later, you can't just discard the session key like you would in ephemeral encryption system like TLS. You have to save the session key with the document somewhere so you can read the document later.

    If you want PFS, then I'd suggest transferring your encrypted document over TLS/HTTPS, and if you no longer need the document, just delete the document or at least the encrypted part of the document.

    Improve this answer
    2
    • Thank you for the info. I have 2 more questions :D 1) If RSA2048 can encrypt only 117 bits, and I encrypt an AES256 key with 117 bits that means that if somebody can break the RSA, they can also break AES even if the AES key is longer since it is encrypted with RSA. Do I understand correctly? 2) If AES is faster than RSA, and if I need performance, that means that I should not encrypt each XML document with a different AES. I can have the same AES or an interval like a day, or X hours and change it regularly, but not with each message. Am I right?
      – ddreian
      CommentedJan 27, 2017 at 9:09
    • @ddreian 1) The answer says 117 bytes not bits. 2) It would be ideal to encrypt each XML document with a different AES key. It comes down to your key management practices. The bottom line is that the AES key needs to be stored/generated securely.
      – RoraΖ
      CommentedJun 19, 2017 at 12:28
    1

    I was reading the XML Encryption standard and I have some trouble understanding the purpose of encrypting some plain text with a symmetric generated AES or 3DES key that in turn gets encrypted with the public RSA key of the recipient.

    This is the way nearly all practical public-key cryptography works. They present public/private keys as their external interface, but internally they use the public key primitives as key encapsulation mechanisms around a symmetric session key.

    Advantages:

    1. Performance. Public key primitives are orders of magnitude slower than symmetric ones.
    2. Security. By using randomly generated symmetric keys for each message it mitigates the risks of attacks that arise because a single key was overused.

    In TLS or in Signal the symmetric key gets negotiated with DH and does not travel encrypted over the wire giving the connection forward secrecy.

    Forward secrecy is neat, but TLS/Signal can achieve it easily because they're online protocols that require the two parties to interact "live" with each other. Achieving perfect forward secrecy in a non-interactive setting like XML encryption is much trickier.

    Improve this answer
    1
    • 1) If AES is faster then I need to change the key rarely and encrypt let's say all of today's message with AES key1 and tomorrow's messages with AES key 2 and so on, right? Because if I encrypt each message with a different AES key then the other party will both RSA and AES on each message. 2) Since RSA2048 is not broken, why should I increase the entropy? If I add a nonce to the message then all messages will be different. Also I will always encrypt AES keys with RSA, so the plaintext will have the same size always. This will give clues to an attacker that encrypting the XML with RSA did not.
      – ddreian
      CommentedJan 27, 2017 at 9:18
    0

    The main idea behind this double encryption is to allow deciphering of the content by many people while controlling who can decipher the content. If you send the symmetric key, anyone with the key will be able to read the final content.

    If you send an encrypted key, which only the recipient can decipher, then the key is only available in clear with he private key.
    This is less content to crypt than encrypting the plaintext with the public key for each recipient.

    If you would avoid the symmetric key you'll have to encrypt the content for each recipient with their public key, this means you need to store the content in plaintext somewhere, having it encrypted with a symmetric key prevent leakage at source while keeping the storage overhead for multiple recipient low.

    Of course that doesn't prevent the problem if the attacker get the recipient private key, the extra security comes from storing the content in a non readable form at source.

    In brief: the goal is not so to prevent attack on the key, but on the source document itself.

    Improve this answer

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.