OpenSAML user discussion

[Dan Ciarniello <>]

Sorry, I am using the OpenSAML Java libraries version 2.4.1.

I haven't tried it yet but I am pretty sure that I can generate an AES key 
using SecurityHelper.generateSymmetricKey() which I can then add to the 
EncryptionParameters object passed to the Encrypter.  What I don't know is 
how to add this key to the assertion.  What I'm looking to do would be 
something like:

<Assertion ...>
  <Subject>
    <EncryptedID>
      ...
      <KeyInfo>
        <RetrievalMethod URI="keyinfoURI"/>
      </KeyInfo>
      ...
    </EncryptedID>
    ...
  </Subject>
  ...
  <AttributeStatements>
    <EncryptedAttribute>
      ...
      <KeyInfo>
        <RetrievalMethod URI="keyinfoURI"/>
      </KeyInfo>
      ...    </EncryptedAttribute>
  </AttributeStatements>
  <EncryptedKey Id="keyinfoURI">
    ...
  </EncryptedKey>
</Assertion>


Dan.

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Cantor, Scott E.
Sent: Wednesday, March 02, 2011 1:55 PM
To: 

Subject: [OpenSAML] RE: Encrypting multiple elements with one session key

> Is this possible and, if so, how would I go about doing it?  Assuming that 
> it is
> possible, are there any drawbacks to doing this?

I think there are technically key hygiene issues involved in using a key more 
than once, but I really don't know when it's ok or not ok. I think the usual 
approach is to use key derivation off of a master key to do more than one 
encryption operation, which I doubt is supported.

I know how to, sort of, manage using a fixed AES key in my library, no idea 
about Java, which I'll assume is what you're asking about since you didn't 
specify.

-- Scott