XML ENCRYPTION A few weeks ago, we talked about using XML Signature to ensure the authenticity of a full or partial XML document. Sometimes, however, you need to provide additional security for your XML documents. When sending sensitive information, such as account numbers and credit card data, you need to be able to control who has access. The XML Encryption protocol can help you secure your XML data. OVERVIEW The basic premise of XML Encryption is that you can create a cipher (a string of encrypted data) and store it in an XML document. In addition to the cipher, you can also store information about the encryption method and encryption keys. The data that is encrypted is placed in an element. This element can exist in several places in the XML document. When encoding arbitrary data that is not related to XML, the element becomes the root element of a new XML document. If the arbitrary data is actually the content of an element in an XML document, then the might be placed instead of the content of the particular element. Finally, an element can also be used to replace an entire element from start tag to end tag, and including all subelements. DETAILS Like the XML Signature protocol, XML Encryption also specifies the rules used to process both raw data into encrypted XML and cipher data back into raw data. The encrypted data, or cipher value, can be stored in the element as a ; however, the encrypted data may also be included via a reference URL using the element. This allows the sender to maintain an extra layer of control over the data being sent. For example, by referencing an authenticated URL, the cipher data is protected so that only authorized users can obtain the encrypted data. The encrypted data is stored in the XML document as an element. This element consists of several subelements that contain information about the encrypted data, including key information and the actual cipher (or reference to it). Let's look at an example of using encrypted data. First, we'll examine a sample XML document that contains some sensitive information we want to encrypt. In this case, we want to encrypt the customer's social security number. Here's a sample of the XML data before encryption: James bond 007 007-23-0023 In this example, the element contains information related to the particular customer including the AccountNumber and SocialSecurityNumber. In this scenario, the CustomerName and AccountNumber elements do not need to be encrypted, but the customer's SocialSecurityNumber does. Below is an example of the encrypted version of this XML document: John Smith 007 A23B45C56 As you can see, the entire element has been replaced by an element. When the document is decrypted, the section will be processed, deciphered, and the resulting element restored. MORE INFORMATION There are a few online resources that have more information regarding XML Encryption. The best place to start is with the specifications available at The W3C XML Encryption Working Group. http://click.techrepublic.com/Click?q=e8-DOzMQfkjBQIUe0ybAeTDdcNz9RRR IBM has a security suite available that takes advantage of XML Encryption and implements the encryption and decryption engine. Information is available at The AlphaWorks XML Security Suite page. http://click.techrepublic.com/Click?q=90-wHPMQ_IMCU5V6l7mb1obZm9eK9RR SUMMARY With more data being sent across the Internet as XML documents, many organizations have a responsibility to protect their own and their customers' data. XML Encryption provides organizations with some assurance that sensitive data can be transmitted without the risk of exposure. -------------------------------------------