OpenSAML user discussion

[Brent Putman <>]

Pantvaidya, Vishwajit wrote:
>
> [Pantvaidya, Vishwajit] So what you mean is that even with SAML2.0 there is 
> no way to use secret keys?
>
>   


No, SAML doesn't restrict things in this way at all.  Symmetric keys are
perfectly fine for SAML 2, and for XML Encryption in general.  However,
you would need to manage the key exchange out-of-band in that case, and
unless the key is known from context, mange things like key identifiers
for identifying the encryption key in the ds:KeyInfo by reference
(rather than by value).

The Java OpenSAML code does support symmetric keys for XML Encryption,
as long as you supply the right inputs on the encryption and/or
decryption side.  It's more of an advanced use case, however.


>
> ...Re: encryption:  When you do encryption in SAML, especially if the IdP
>
> and SP are exchanging info via SAML metadata, it is typical that you do
>
> actually encrypt the data with a randomly generated symmetric key.  That
>
> symmetric data encryption key in turn is encrypted with the recipient's
>
> public key (e.g. obtained from metadata) and sent along with the
>
> encrypted data as an xenc:EncryptedKey element.  Take a look at the XML...
>
>
>
> [Pantvaidya, Vishwajit] Just to understand this, why not just encrypt with 
> the public key? Does this provide any additional level of security (though 
> I cannot imagine how).
>   


One reason is performance.  The asymmetric ciphers (e.g. RSA) tend to be
about 1000 to 10,000 times slower than symmetric ciphers of comparable
strength (i.e. 3 or 4 orders of magnitude).  That's a big hit.  So the
idea is to encrypt a small amount of data (a symmetric key) with the
public key to lessen that hit.

And another is pragmatic:  Because of the above, I believe that XML
Encryption does not even define algorithm URI's for say RSA for bulk
data encryption.  You'd have to define cipher modes and so on, if you
want to encrypt data larger than the maximum encryptable block size for
the algorithm.  For RSA, that max block size is a little less than the
modulus size, e.g. for a 2048 bit RSA key, you can encrypt slightly less
than 2k of data.  That's more than enough for encrypting a symmetric key
(e.g. AES 256 bit), but not nearly enough for say a medium to large
sized SAML Assertion.

Note that that's how most all use of asymmetric ciphers for encryption
works, e.g. SSL/TLS.  In that case, you either use the remote peer's
public key to encrypt randomly generated temporal session symmetric
keys, or you just use the public key to authenticate the peer, and then
negotiate the session key(s) with a key agreement protocol, e.g.
Diffie-Hellman.  The symmetric session keys are then used to encrypt
data on the wire.

--Brent