Difference between revisions of "Cryptographic Module"
Line 38: | Line 38: | ||
=Encryption & Decryption= | =Encryption & Decryption= | ||
The encryption and decryption functions currently underlie several limitations: | The encryption and decryption functions currently underlie several limitations: | ||
− | #Cryptographic algorithms are limited to <code>symmetric</code> algorithms only | + | #Cryptographic algorithms are limited to <code>symmetric</code> algorithms only. This means that the same secret key is used for encryption and decryption. |
#Available algorithms are <code>DES</code> and <code>AES</code> | #Available algorithms are <code>DES</code> and <code>AES</code> | ||
#A randomized initialization vector is used to prevent blabla attacks. | #A randomized initialization vector is used to prevent blabla attacks. |
Revision as of 14:45, 10 October 2011
This module contains XQuery functions to perform cryptographic operations in XQuery. The cryptographic module is based on an early draft of the EXPath Cryptographic Module and provides the following functionality:
- Creation of message authentication codes (HMAC)
- Encryption and decryption
- Creation and validation of an XML Digital Signature
This module is introduced with Version 7.0 of BaseX.
Contents
Message Authentication Code (MAC)
crypto:hmac
Signatures | crypto:hmac($message as xs:string(), $secret-key as xs:string(), algorithm as xs:string()) as xs:string() crypto:hmac($message as xs:string(), $secret-key as xs:string(), algorithm as xs:string(), $encoding as xs:string()) as xs:string()
|
Summary | Creates a message authentication code via a cryptographic hash function and a secret key. $encoding must either be hex , base64 or the empty string (default is base64 ) and specifies the encoding of the returned authentication code.$algorithm describes the hash algorithm which is used for encryption. Currently supported are md5 , sha1 , sha256 , sha384 , sha512 .
|
Errors | FOCX0013 is raised if the specified hashing algorithm is not supported. FOCX0014 is raised if the specified encoding method is not supported. |
Example | Returns the message authentication code (MAC) for a given string.
Query: crypto:hmac('message','secretkey','md5','base64') Result: 34D1E3818B347252A75A4F6D747B21C2 |
Encryption & Decryption
The encryption and decryption functions currently underlie several limitations:
- Cryptographic algorithms are limited to
symmetric
algorithms only. This means that the same secret key is used for encryption and decryption. - Available algorithms are
DES
andAES
- A randomized initialization vector is used to prevent blabla attacks.
- The result of an encryption using the same message, algorithm and key looks different each time it is executed. This is due to the use of a random initialization vector which simply increases security.
crypto:encrypt
Signatures | crypto:encrypt($input as xs:string(), $encryption-type as xs:string(), $secret-key as xs:string(), $cryptographic-algorithm as xs:string()) as xs:string()
|
Summary | Encrypts the given input string.
|
Errors | FOCX0016 is raised if padding problems arise. FOCX0017 is raised if padding is incorrect. |
Example | Encrypts input data.
Query: crypto:encrypt('message', 'symmetric','keykeyke','DES') |
crypto:decrypt
Signatures | crypto:decrypt($input as xs:string(), $decryption-type as xs:string(), $secret-key as xs:string(), $cryptographic-algorithm as xs:string()) as xs:string()
|
Summary | Decrypts the encrypted $input .
|
Errors | FOCX0016 is raised if padding problems arise. FOCX0017 is raised if padding is incorrect. |
Example | Decrypts input data and returns the original string.
Query: let $encrypted := crypto:encrypt('message', 'symmetric','keykeyke','DES') return crypto:decrypt($encrypted, 'symmetric','keykeyke','DES') Result: message |
XML Signature
crypto:generate-signature
Signatures | crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string()) as node() crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string(), $xpath-expression as xs:string()) as node() crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string(), $digital-certificate as node()) as node() crypto:generate-signature($input-doc node(), $canonicalization-algorithm as xs:string(), $digest-algorithm as xs:string(), $signature-algorithm as xs:string(), $signature-namespace-prefix as xs:string(), $signature-type as xs:string(), $xpath-expression as xs:string(), $digital-certificate as node()) as node()
|
Summary | ? |
Errors | ? |
Example | Generates an XML Signature. |
crypto:validate-signature
Signatures | crypto:validate-signature($input-doc as node()) as xs:boolean()
|
Summary | ? |
Errors | ? |
Example | Validates an XML Signature. |