How to encrypt fields in XML document with PHP and RSA / Triple DES
https://stackoverflow.com/questions/3085785
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am developing an application for schools in South Africa which is required to submit data in XML format to the State IT Agency for statistical processing. I am currently generating the XML files using PHP's DOMDocument class.
My files have gone through a first stage verification process. The next stage is to implement encryption and compression of the XML files. The compression is a simple GZip so no worries there.
The specification document indicates that both RSA Encryption is used (I will be issued RSA keys to implement into the software) as well as some form of symmetrical encryption such as Triple DES (although this is an "example" and any of the algorithms at http://www.w3.org/TR/xmldsig-core can be implemented). If I understand this correctly, the RSA encryption is to encode a symmetrical key which is used for the actual encryption of the fields.
The specification document also says "Encryption of an XML file can be performed either on the whole file or on certain elements." I'm not quite sure which is easier, at this stage and so answers to either will suffice!
The requirement is, I assume, to encrypt the contents of the XML tags and not the names (as in http://www.w3.org/TR/xmlenc-core/#sec-eg-Element-Content-Character).
I apologise if this seems vague. It is currently all the information I have and the contacts at the Agency are happy to say that the (VisualBasic .NET) code samples should explain everything... If you want to examine this code sample, you are welcome to have a look at the Word document in the following ZIP file, from about page 213 onwards. http://www.sita.co.za/doe_lurits/DEVS-00118%20Rev%201.2%2012%20Jan%202009.zip
If anyone can help or point me in the right direction, I'd appreciate it.
Solution
You should just encrypt the XML file using XMLSec Encryption. The following library should handle all the details for you,
OTHER TIPS
See openssl_encrypt for symmetric encryption and openssl_public_encrypt/openssl_private_decrypt for asymmetric encryption.
Sounds like you can either encrypt the entire document or just the contents of certain "sensitive" tags. Encrypting the entire document would probably be the easiest way to go.
As for the RSA/3DES thing - you are almost certainly right. You would encrypt the document with 3DES, then encrypt your 3DES key with their RSA public key.
So, seems like what you need to do is just generate the document, zip it, then encrypt the zipped results with 3DES.
The Symmetric-encrypted-document-plus-PK-encrypted-key architecture is essentially PGP. Would OpenPGP be acceptable to your customer?
