Encryption Algorithms and Keys Exchange
Two types of cryptographic approaches are available for encrypting data within XML documents:
Symmetric key cryptography
Public key cryptography
In symmetric key systems, the same key is used to encrypt and decrypt data at either end.
But in public key cryptography, the keys function as pairs: One is a secret key or private key that is held by specific parties involved in confidential transactions; the other is called a public key, and it is distributed to all. Anybody can encrypt data using the public key; but for decryption, you need the private key as well as the public key.
Symmetric key cryptography is much faster than public key cryptography, and it is suitable for encrypting large chunks of information. But the disadvantage is obviously the usage of same key on both ends, so there is reduced privacy.
On the other hand, public key cryptography is relatively much more secure because the private key, required for decryption, is held only in one end. But the problem is that it is relatively slow and useful only for encrypting small pieces of information.
The XML-encryption process uses an ingenious combination of both algorithms to secure communications between the services. The cycle is as follows:
The sender gets a copy of the public key from the intended recipient; the latter holds the corresponding private key.
The sender encrypts the required pieces of information in the XML document using a new symmetric key, and formats it per the syntax (using the <EncryptedData> element, and so on).
The sender also encrypts the symmetric key itself using the public key of the recipient! He then bundles this encrypted symmetric key with other elements in the document using the <EncryptedKey> element, and transmits the same.
Upon receiving the document, the recipient decrypts the symmetric key in the <EncryptedKey> element using his private key.
He then proceeds to decrypt the document itself using the symmetric key obtained thus.
In short, we use one methodology to secure the document data and another to secure the keys! This shrewd combination of public key and symmetric key cryptography secures XML documents in the best possible manner. The only risk is the leakage of private keys from the recipient's hand, which needs to be taken care of.