mace-opensaml-users - Re: [OpenSAML] [OpenSAML java] encrypted assertion

Subject: OpenSAML user discussion

List archive

Re: [OpenSAML] [OpenSAML java] encrypted assertion

From: Brent Putman <>
To:
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion
Date: Mon, 18 Apr 2011 10:33:18 -0400

Well, you can't use RSA to encrypt the actual data, you have to use a symmetric block algorithm for the data encryption, and then encrypt the data encryption key as an EncryptedKey and send it along with the EncryptedAssertion. The examples in the wiki illustrate this.

The technical reason is that that RSA can only encrypt a block that is slightly smaller than it's modulus size, not nearly enough for a SAML assertion. And there are no cipher modes defined for RSA for multi-block encryption (or at least if there are, XML Encryption doesn't support them). For more info, you can google. Using an ephemeral symmetric data encryption key is is the standard approach to using RSA encryption for pretty much anything out there, not just SAML.

On 4/18/11 6:43 AM, wrote:

Hi Putmanb,

Thanks for your response.

I can run it, but I have another question, if I use RSA algorithm to encrypt, how do I set block size of RSA algorithm? Below is exception:

org.opensaml.xml.encryption.EncryptionException: Error encrypting XMLObject
at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:453)
at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:343)
at org.opensaml.saml2.encryption.Encrypter.encrypt(Encrypter.java:257)
at SamlTest.main(SamlTest.java:208)
Caused by: java.lang.ArrayIndexOutOfBoundsException: too much data for RSA block
at org.bouncycastle.jce.provider.JCERSACipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Unknown Source)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
at org.apache.xml.security.encryption.XMLCipher.encryptData(Unknown Source)
at org.opensaml.xml.encryption.Encrypter.encryptElement(Encrypter.java:450)
... 3 more

Thanks&Best Regards
Li Ji Xian

----- Original Message -----
From: Brent Putman []
To:
Sent: Mon, 18 Apr 2011 02:20:39 -0400
Subject: Re: [OpenSAML] [OpenSAML java] encrypted assertion

This is documented pretty extensively in the wiki:

https://wiki.shibboleth.net/confluence/display/OpenSAML/OSTwoUserManJavaXMLEncryption

On 4/18/11 1:56 AM, wrote:
>
> Hi,
>
> who can give me an example how to encrypt assertion? thanks.
>
> Thanks&Best Regards
> Li Ji Xian
>

[OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/18/2011
- <Possible follow-up(s)>
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/18/2011
  - Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/18/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/20/2011
  - Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/20/2011
- Re: [OpenSAML] [OpenSAML java] encrypted assertion, jixian.li, 04/21/2011
  - Re: [OpenSAML] [OpenSAML java] encrypted assertion, Brent Putman, 04/21/2011

List archive

Re: [OpenSAML] [OpenSAML java] encrypted assertion