Presents your XML E-NEWSLETTER for July 17, 2002 <-------------------------------------------> TOOLS FOR SECURING YOUR XML DOCUMENTS There are many ways to secure your XML documents during a transaction. One of the most common methods is to use a secure transport layer such as SSL. The major downside to using SSL is that it can't protect documents outside the scope of the network they protect. In most transactions, there are at least three networks at play: yours, the Internet, and your partner's. To help alleviate problems securing XML, the W3C has created specifications for both digitally signing and encrypting XML documents. These specifications, called XML Signature and XML Encryption, respectively, aid in protecting your XML transactions. The only problem is finding the tools to help. Let's look at a few of these tools and examine what they offer in terms of securing your XML documents. APACHE SECURITY When thinking of XML tools, one of the first groups that come to mind is the Apache Software Foundation. Apache is famous for its prolific Web server; however, its XML tools are also quite popular. Both the Xalan and Xerces projects are the XML foundation for many Java applications that require XML parsing. Expanding on the success of the XML parsers, Apache has projects developing SOAP, XSL Formatting Objects, SVG, and now XML security. The Apache-XML-Security-J project provides a freely available Java implementation of the W3C's XML Encryption specification. http://xml.apache.org/security/index.html IBM XML SECURITY SUITE If you're familiar with Apache, then you probably also know about IBM's alphaWorks. AlphaWorks is essentially a high-powered R&D team working on the latest and most cutting-edge software technologies. The alphaWorks team has created XML Security Suite, which offers three types of document protection. These are: http://www.alphaworks.ibm.com/ * Authentication, which is handled using the W3C's XML Signature specification. This technology allows you to digitally sign XML documents and verify digital signatures. * Data encryption, which is based on the W3C's XML Encryption specification. * Encryption tools, which allow you to encrypt all or part of an XML document into a cipher and later decrypt the cipher to the original XML. Finally, in typical IBM bravado style, the alphaWorks team has added an authorization layer called the XML Access Control Language. This technology only lets people allowed to access documents to do so. XML SECURITY LIBRARY The XMLSec Library is another freely available suite of tools for adding security to your XML applications. Unlike the Apache and IBM tools, the XMLSec Library is for C programmers (who will appreciate that it includes the source code). The XMLSec Library supports the W3C specifications for XML Signature and XML Encryption, as well as Canonical XML and Exclusive Canonical XML. Based on libxml and libxslt (both from the XML C library for Gnome) and OpenSSL, XMLSec supports a variety of encryption algorithms including Triple DES and AES. The XMLSec Library Web site includes documentation on interoperability for all three W3C specifications. The XMLSec Library is available in a variety of formats including source code, CVS, Linux RPM, and Windows binaries. http://www.xmlsoft.org/ http://www.aleksey.com/xmlsec/index.html COMMERCIAL TOOLS In addition to these freely available tools, there are commercial products that offer XML security features, such as these two products: * KeyTools from Baltimore Technologies includes an XML snap-in component. KeyTools supports the W3C's XML Signature specification and provides a complete key management system based on PKI. http://www.baltimore.com/keytools/index.asp * Java Crypto and Security Implementation (JCSI) from Wedgetail Communications supports the W3C specification for digital signatures with XMLDSig. XMLDSig can provide digital signatures for XML documents using HMAC-SHA1, DSA with SHA1, and RSS with SHA1. Like the XMLSec Library, XMLDSig includes an online interoperability matrix illustrating compatibility of the implementation with the specification. http://www.wedgetail.com/jcsi/index.html Brian Schaffner is a senior consultant for Fujitsu Consulting. He provides architecture, design, and development support for Fujitsu's Telcom360 group. ----------------------------------------