Summary

Message security mechanisms protect a message or document, independent of the transport. This makes it possible to guarantee security properties such as authentication, message integrity, non-repudiation, and confidentiality on a per message or per document basis, without worrying about how the message or document is carried from one end to another. This is ideal when the message may be stored or processed at intermediate points or when the receiver cannot process the message at the time of receipt.

XML Signature defines an XML element format to store the digital signature of one or more data items and other related information. In addition, it specifies the processing model to create the signature element and perform the validation. The data item to be signed is usually canonicalized so that normal XML processing, which does not alter the underlying content, but may cause the actual sequence of bytes comprising the message to change a bit, will not break the signature.

XML Encryption defines an XML element format to store encrypted data or reference to encrypted data items and other related information. Similar to XML Signature, it specifies the processing model to encrypt data and decrypt encrypted data. Either symmetric or asymmetric algorithms may be used for encryption. Symmetric encryption using a secret key is well suited for securing data stored on disk whereas asymmetric encryption using a public and private key pair is preferred for confidential exchange of data.

It is possible to combine signature and encryption to get maximum protection. Encrypting signed-data adds confidentiality to tamper-evident and authenticated data.

Standard Java APIs for XML Signature and XML Encryption are still being finalized under Java Community Process. In the meantime, you can use libraries with proprietary APIs that let you perform XML Signature and XML Encryption. VeriSign's TSIK is one such API and library that supports both XML Signature and XML Encryption. Infomosiac's SecureXML is a Windows-only library for XML Signature with good integration with Windows cryptographic library and certificate store.