One of the most common methods of securing XML documents during a transaction is to use a secure transport layer such as SSL. The major downside to this approach is that it can’t protect documents outside the network the transport layer safeguards. And most transactions involve at least three networks: yours, the Internet, and your partner’s.

To help alleviate problems securing XML, the W3C has created specifications for both digitally signing and encrypting XML documents. These specifications, called XML Signature and XML Encryption, respectively, are strong blueprints for protecting your XML transactions. The only problem is finding tools to implement them. Let’s look at a few available tools and the functionality they offer.

Apache security
When thinking of XML tools, one of the first names that comes to mind is the Apache Software Foundation. Apache is famous for its prolific Web server, and its XML tools are also quite popular. Both the Xalan and Xerces projects are the XML foundation for many Java applications that require XML parsing.

Expanding on the success of its XML parsers, Apache has projects devoted to developing SOAP, XSL Formatting Objects, SVG, and now XML security. The Apache-XML-Security-J project provides a freely available Java implementation of the W3C’s XML Encryption specification.

IBM XML Security Suite
If you’re familiar with Apache, then you probably also know about IBM’s alphaWorks, which is essentially a high-powered R&D team working on cutting-edge software technologies. The alphaWorks team has created XML Security Suite, which offers three types of document protection:

  • Authentication, which is handled using the W3C’s XML Signature specification. This technology allows you to digitally sign XML documents and verify digital signatures.
  • Data encryption, which is based on the W3C’s XML Encryption specification.
  • Encryption tools, which allow you to encrypt all or part of an XML document into a cipher and later decrypt the cipher to the original XML.

Finally, in typical IBM bravado, the alphaWorks team has added an authorization layer called the XML Access Control Language. This technology lets only authorized users access documents.

Read more about security issues

  • “XML security who’s who”
    Businesses need security solutions for their XML applications, and help is on the way. Learn about five XML security standards now in the works.
  • “How secure is your code?”
    Do you trust your developers to write hacker-proof code? Or do you depend on your network administrator to keep your software assets secure? Read what these software developers think about security audits, and add your two cents to the discussion.

XML security library
The XMLSec Library is another freely available suite of tools for adding security to your XML applications. Unlike the Apache and IBM toolkits, the XMLSec Library is for C programmers, who will appreciate that it includes the source code. It supports the W3C specifications for XML Signature and XML Encryption, as well as Canonical XML and Exclusive Canonical XML.

Based on libxml and libxslt (both from the XML C library for Gnome) and OpenSSL, the XMLSec Library supports a variety of encryption algorithms, including Triple DES and AES. The XMLSec Library Web site includes documentation on interoperability for all three W3C specifications. The toolkit is available in a variety of formats, including source code, CVS, Linux RPM, and Windows binaries.

Commercial tools
In addition to these freely available tools, some commercial products offer XML security features. KeyTools from Baltimore Technologies includes an XML snap-in component, supports the W3C’s XML Signature specification, and provides a complete key management system based on PKI. Java Crypto and Security Implementation (JCSI) from Wedgetail Communications supports the W3C specification for digital signatures with XMLDSig. XMLDSig can provide digital signatures for XML documents using HMAC-SHA1, DSA with SHA1, and RSS with SHA1. Like the XMLSec Library, XMLDSig includes an online interoperability matrix that illustrates compatibility of the implementation with the specification.