Options to set XML encryption for Shibboleth IdP deployers

In the UK federation, IdPs encrypt assertions to the SPs using one of the certificates in the SP's metadata. This contributes to the secure passing of messages because XML messages are encrypted, which is in addition to the connection-level encryption provided by TLS.

The default bulk encryption method that is available in all SPs is AES128-CBC. However, the Shibboleth Project notes that CBC-mode has a long history of attacks, and XML Encryption proved vulnerable to them in a paper published in 2011. [ 1 ][ 2 ]. Therefore version 4 of the Shibboleth IdP has made AES128-GCM the default encryption method for new installations. Note that if you have upgraded your IdP, the original settings apply.

It is unlikely that many non-Shibboleth SPs support the GCM mode of encryption, so this documentation lists the ways that can be used to address this. This list is in preference order:

  1. The UK federation supports the use of EncryptionMethod elements, which allows a SP to signal its encryption capabilities in metadata, for example by indicating that it can decrypt messages sent using the AES128-GCM bulk encryption method. Approximately 40% of SPs use this signalling method; the remaining 60% rely on the default. Our preference is that SP operators register the algorithms that their SP supports. Please contact the helpdesk for advice on this.
  2. A MetadataFilter type="Algorithm" is available for IdP v4. Configuration examples are on the Shib wiki.
  3. Relying party overrides are available for IdP v3 and above. They are harder to configure than the MetadataFilter; the IdP v4 configuration reference notes that metadata-driven configuration is the preferable way; and you should be upgrading to v4 anyway.
  4. Turn down default encryption globally to CBC by setting idp.encryption.config to shibboleth.EncryptionConfiguration.CBC and let SPs which have GCM in metadata override the default.

Shibboleth documentation at https://wiki.shibboleth.net/confluence/display/IDP4/GCMEncryption

Bilateral integrations

Please note that the information above is for IdPs and SPs interoperating through the UK federation. If your IdP makes bilateral metadata integration with an SP, then you should consider the encryption capabilities and signalling of these SPs, especially if you are considering turning the default encryption method to GCM.