Prior to the drafting of the WS-Security and WS-Security Addendum specifications, which I will discuss in detail shortly, two specifications were proposed to secure XML data. These two XML security standards, known as XML-Signature Syntax and Processing (XML Signature) and XML Encryption Syntax and Processing (XML Encryption), have been recommended by the World Wide Web Consortium (W3C) and were leveraged as cornerstones of the WS-Security specification. Since these specifications are fundamental to the implementation of many security specifications, including WS-Security, I will discuss them before moving on to WS-Security.
As with HTML, one of the major strengths of XML turns out to be one of its major security weaknesses, namely that the plaintext nature of XML makes it trivial for hackers to interpret messages that they intercept. As I mentioned earlier, the generally accepted method to prevent messages from being intercepted and read involves using a transport-level encryption scheme such as IPSec or SSL, which prevents attackers from being able to read message data. The drawback of this solution is that a Web service must decrypt the entire message in order to determine what it needs to do with it. In cases in which a service is merely intended to forward the message to a final recipient, a better solution is to encrypt only the critical message elements while leaving unencrypted the SOAP headers that must be accessed during transit. For example, consider the following example of a SOAP message fragment from a credit card transaction:
Rather than being forced to encrypt the entire message transport, much of which might include other information that doesn t need to be secured, you can use the methods specified by the XML Encryption protocol to encrypt only the critical parts of the message, such as the CreditCard element. You might also choose to encrypt the entire Payment element, or even the entire Order or Body element. The following shows an example of the same XML fragment with the CreditCard element encrypted: