XML Encryption Elements
Let's look at a typical XML-encrypted document. Figure 1 shows the XML data structure before encryption.
Figure 1 XML data structure without encryption.
Now, if we want to treat this entire data set as confidential information, we can encrypt the whole document, as shown in Figure 2.
Figure 2 Fully Encrypted XML Data-structure
Don't worry so much about the process of encrypting for now. Focus on the elements and syntax that make up an encrypted XML document.
As shown in Figure 2, the <EncryptedData> element begins the XML-encrypted section within the document. In this case, because we decided to encrypt the entire document, we see the <EncryptedData> element in the location of the original data elements.
The following rules govern the <EncryptedData> element:
It is the core element that should enclose all encrypted XML data.
It cannot be a parent or child of another <EncryptedData> element.
It may become a root of the document (in case the whole document is encrypted, as in this example).
Its standard namespace is xmlns:xenc='http://www.w3c.org/2001/04/xmlenc#'.
The second element in the encrypted XML document that draws our attention is the <CipherData> element. Being a child of the <EncryptedData> element, it encloses the actual cipher string that results from the encryption process.
In Figure 2, the <CipherData> element makes use of the <CipherValue> tag to enclose the encrypted string. This is called enveloping the raw encrypted data.
In case the encrypted string is available elsewhere in the network, it is referred within the <CipherReference> tag. This is called referencing the encrypted data.
Let's now look at a slightly different version of Figure 2. Suppose we consider only <Salary> as data to be protected and apply encryption to the sameleaving the rest as plain XML. Figure 3 illustrates this scenario.
Figure 3 XML data structure with the <Salary> element encrypted.
In Figure 3, we encrypted the <Salary> element all together. Now, what if we need to encrypt only the data contained in this element? Have a look at Figure 4.
Figure 4 XML data structure with the contents of the <Salary> element encrypted.
The subtle difference is that the Encrypted Data type has changed from Element to Content because encryption has been applied only to the data within the element!