This article is a series of articles translated for zdnet. The original Article has been published on the zdnet website.
There are many ways to protect XML documents in a transaction. The most common method is to use a secure transport layer like SSL. The disadvantage of using SSL is that it cannot protect documents outside the network it protects. In most transactions, at least three networks are involved: You, the Internet, and your partners.
To reduce XML protection, W3C has created some specifications for digital signature and encryption of XML documents, known as XML Signature and XML encryption, which help protect XML transactions.
The only problem is finding such a tool. Let's take a look at some of these tools and check their functions in protecting XML documents.
Apache Security
When considering XML tools, the first thing that comes to my mind is Apache Software Foundation. Apache is famous for its powerful web server, but its XML tool is also very popular. Xalan and xerces are the basis of Java applications that require XML parsing.
To extend the XML parsing success, Apache has established a project to develop soap, XSL Formatting object, SVG (Scalable Vector Graphics, Scalable Vector Graphics), and current XML security products. Apache-XML-security-J project provides free JAVA Implementation of W3C XML encryption specifications.
Ibm xml security suite
If you are familiar with Apache, you may also know IBM's alphaWorks. AlphaWorks is essentially a powerful R & D team working on the newest and newest software technologies. The alphaWorks team has created XML security suite, which provides three types of document protection:
· Authentication, which implements the W3C XML Signature specification. This technology allows you to digitally sign XML documents and verify digital signatures.
· Data Encryption, which is based on W3C XML encryption specification.
· Encryption tool, which allows you to encrypt all or part of an XML document as ciphertext and then decrypt it as the original XML document.
Finally, in a typical IBM bluffing style, the alphaWorks team added an authentication layer called XML access control language. This technology only allows people to access those documents.
XML security library
Xmlsec library is another free package that can add security features to your XML application. Unlike Apache and IBM tools, xmlsec library is intended for C language programmers (they will appreciate it for providing source code ). The xmlsec Library supports W3C XML Signature and XML encryption specifications, as well as canonical XML and exclusive canonical XML specifications.
Based on libxml and libxslt (both from xml c library for GNOME) and OpenSSL, it supports several different encryption algorithms, including Triple DES and AES. Xmlsec Library web sites include documents that can be used with the three W3C standards. Xmlsec is released in multiple forms, including source code, CVS, Linux rpm, and Windows binary release.
Commercial tools
In addition to free tools, there are several commercial products that provide XML protection, just like the following two products:
· Keytools: Developed by Baltimore technologies, including an XML snap-in component. Keytools supports W3C XML signature specifications and provides a complete Key Management System Based on PKI.
· Java crypto and security implementation (jcsi): Developed by wedgetail communications, xmldsig supports W3C digital signature specifications. Xmldsig can use HMAC-SHA1, DSA with sha1, and RSS with sha1 to provide digital signatures for XML documents. Just like xmlsec library, xmldsig contains an online interuse matrix to demonstrate its compatibility with the standard implementation.