Can you do symmetric encryption on SAML attributes in SAML 2.0?

Question

Can you do symmetric encryption on SAML attributes in SAML 2.0? We can seem to do asymmetric. What are pros and cons?

Answer 1

SAML 2.0 utilizes XML Encryption (Sect 5.2.1 and 5.2.2). With that said, Sect 4.2 of the SAML 2.0 Conformance docs specifies you must support the following to be SAML 2.0 compliant:

• Block Encryption: TRIPLE DES, AES-128, AES-256.
• Key Transport: RSA-v1.5, RSA-OAEP

In other words, SAML 2.0 mandates you use asymmetric keys.

So, the "cons" will be that you are not SAML 2.0 compliant if you utilize symmetric encryption of SAML Attributes which will lead to interopability issues with other SAML 2.0 partners. However, that does not mean that you cannot actually choose to use this type of encryption as long as your partner supports this as well.

On the "pros" side, symmetric encryption is faster (less computationally intensive I'm told) but I'm pretty sure it's not worth the trade-off wrt compliance.

Answer 2

Keep in mind that in reality you are always using both asymmetric and symmetric encryption - this is best practice in security. The underlying block encryption method that is symmetric (as noted by Ian: Triple DES, AES, etc.). Asymmetric is preferred due to stronger security (larger key sizes, etc.) - and ease of keeping the private keys secure (only the public keys need to be distributed). However due to its performance it's only used as a means to exchange symmetric keys. Symmetric encryption on the bulk of the data is done for speed.

In the XML Encryption spec, EncryptedData element contains symmetrically encrypted data, while EncryptedKey is your symmetric encryption/decryption key, encrypted via asymmetric encryption.

Answer 3

If you want to understand XML encryption, Don Eastlake's classic, Secure XML: The New Syntax for Signatures and Encryption, is still the best. He explains the trade-offs in the designs for XML Enc and DSig, and has tips about implementation. In the 9 years since he wrote it, many conventions have arisen about these trade-offs, which you can find via search.

My colleague, Ian, has listed the SAML 2.0 required algorithms, so you can focus on these in Eastlake's book. And as you are probably aware, "required" in a spec means that if you limit yourself to just these, you will be interoperable.

Finally, this technique Scott describes, of generating a random symmetrical key, encrypting the data with it, and then encrypting the random symmetrical key w/ the public encryption key of your recipient is ofter called digital enveloping and is used everywhere in cryptography, from SSL to key management systems.