Tools to protect XML documents [Z]

XML This is one of a series of articles translated for ZDNet, which has been published in the ZDNet website

There are many ways to protect an XML document during a transaction, and one of the most common methods is to use a secure transport layer like SSL. The downside to using SSL is that it cannot protect documents outside of the network it protects. In most transactions, at least three networks are involved: your, the Internet and your partner's.
To mitigate the problem of protecting XML, the consortium has created specifications for digitally signing and encrypting XML documents, called XML signature and XML encryption, which help protect XML transactions.
The only problem is finding such tools, let's take a look at some of these tools and examine the functionality they provide to protect XML documents.

Apache Security

When considering the XML tool, the first one to come into my mind is the Apache Software Foundation. Apache is famous for its powerful Web server, but its XML tools are also very popular. Xalan and Xerces are the foundations of Java applications that require XML parsing.
To extend the success of XML parsing, Apache has established project development SOAP, XSL format objects (formatting object), SVG (Scalable vector Graphics, Scalable vector graphics), and now XML security products. Apache-xml-security-j Project provides a free Java implementation of the XML encryption specification for the consortium.

IBM XML Security Suite

If you are familiar with Apache, you may also know IBM's alphaworks. Alphaworks is essentially a powerful research and development team that works on the latest and most marginal software technologies. The Alphaworks team has created an XML security Suite that provides three kinds of document protection:
· Authentication (authentication), which implements the XML Signature specification of the consortium, which allows you to digitally sign XML documents and verify digital signatures.
· Data encryption (encryption), which is based on the XML Encryption specification of the consortium.
· Encryption tool, which allows you to encrypt all or part of an XML document into ciphertext, which can later be decrypted to the original XML document.
Finally, with IBM's typical bravado style, the Alphaworks team added a certification layer called the XML Access Control language (XML access controls Language). This technique only allows people to access those documents.

XML Security Library

The Xmlsec library is another free suite that can add security to your XML application. Unlike Apache and IBM tools, the XMLSEC library is intended for C-language programmers (they will appreciate it for providing source code). The XMLSEC library supports the XML signature and XML Encryption specification of the consortium, as well as Canonical XML and exclusive Canonical XML specifications.
It supports several different cryptographic algorithms, including Triple DES and AES, based on Libxml and LIBXSLT (two from XML C library for Gnome) and OpenSSL. The Xmlsec Library Web site includes documents that can be used to interoperate with the three of the consortium specifications. Xmlsec is published in a variety of formats, including source code, CVS, Linux rpm, and binary publishing of Windows.

Business Tools

In addition to the free tools, there are several commercial products that provide XML protection, like the following two products:
· Keytools: Developed by Baltimore Technologies, including an XML snap-in component. Keytools supports the XML Signature specification of the consortium and provides a complete key management system based on PKI.
· Java Crypto and Security Implementation (JCSI): Developed by Wedgetail Communications, using XMLDSIG to support the digital signature specification for the consortium. XMLDSIG can provide digital signatures on XML documents using HMAC-SHA1, DSA with SHA1, and RSS with SHA1. Like the Xmlsec Library, XMLDSIG contains an online interoperability matrix to illustrate its compatibility with specification implementations.