W3C Proposes XML Encryption, Decryption Specs

With security as a major barrier to the widespread adoption of Web services, the World Wide Web Consortium (W3C) Tuesday
recommended two specifications for an XML-based approach for securing XML
data in a document which will be used by organizations who build Web
services to help safeguard their payloads.

The XML Encryption Syntax and Processing specification and the Decryption Transform for XML Signature have been proposed as W3C Recommendations, which means that they are solid, contribute to Web interoperability, and have been reviewed by the W3C, who would like to see it adopted.

Encryption is the process of rendering sensitive information so
that it is only readable by intended recipients after it has been decrypted.
Such data is mathematically encrypted it in a way that makes it unreadable
to anyone except those possessing the key, or method, to decrypt it.

By extension, XML encryption is important because, although there are
technologies that allow people to secure a data object or messaging session,
only W3C XML Signature, when paired with the W3C XML Encryption
Recommendation, permits users to sign and encrypt portions of
XML data.

Joe Reagle, chairman of the W3C XML Encryption Working Group, which presides over the spec, provided the following usage scenarios for the encryption spec. “A
user of a Web services protocol such as SOAP may want to encrypt the payload
part of the XML message but not the information necessary to route the
payload to its recipient. Or, an XForms application might require that the
payment authorization being digitally signed, and the actual payment method,
such as a credit card number, be encrypted.”

Reagle, who has overseen several working drafts since his group began the encryption project in January 2001, said pairing XML Signature with the XML Encryption Recommendation was the trickiest part.

“It’s like peeling the layers of an onion,” Reagle internetnews.com. “You have to roll it back to the form in which it was signed and be careful not to break the signatures. Getting those two to work together as a fast, open-source implementation was the challenge.”

To be sure, W3C said certain applications and specifications are already
utilizing XML Encryption, as shown in the Implementation and
Interoperability Report filed by the W3C XML Encryption Working Group. The
actions are predicated on logic that is forward-looking, according to
research from XML and Web services research firm ZapThink, which estimates the market for
Web services security may hit $4.4 billion in the U.S. by 2006.

“Web Services offer great potential for business-to-business communication
and integration,” said Jason Bloomberg, senior analyst at ZapThink. “But the
lack of robust security and management solutions currently inhibit the
ability for companies to conduct business with each other via Web Services
over the Internet. You can’t just buy a little security. You have to cover
all the bases to be secure.”

Bloomberg told internetnews.com the XML Encryption standard is one of the “lynchpins of XML and Web Services security.”

“It has taken some time to get to this point because XML-Encryption has some complicated and tricky issues, including XML Canonicalization (standard whitespace and tag ordering rules) as well as tag-level security,” Bloomberg explained. “Recommending this standard removes a critical roadblock to the adoption of Web Services security, and hence to Web Services in general.”

Representatives from IBM and Microsoft, giants who largely agree on Web services standards, gave the W3C plays their good graces.

Kelvin Lawrence, Distinguished Engineer and CTO of Dynamic e-business Technology at IBM applauded the recommendations.

“XML Encryption is a key foundation technology and a crucial component of the Web services security stack,” Lawrence said. “Combining XML Encryption with XML Digital Signature provides customers with a strong, base security technology they can build upon and incorporate into their Web services applications.”

“XML Encryption is a strong complement to the XML Signatures Recommendation released earlier this year, as well as other security-related specs under development, such as WS-Security,” said David Treadwell, General Manager, .NET Developer Platform. “Microsoft is fully committed to driving and implementing interoperable standards for security on the Web and will support XML Encryption in the Microsoft .NET Framework.”

Meanwhile, the “Decryption Transform for XML Signature” recommendation
permits one to use encryption with XML Signature. A usage scenario for this
revolves around a feature in XML Signature that checks to see if a document
has been altered.

The W3C said that while most applications require the ability to sign an XML
document and then encrypt parts of it, and thus altering the document,
Decryption Transform lets the receiver know which portions of the document
to decrypt, restoring the document to its unaltered state, before it can
check the signature.

XML Encryption was developed by the W3C XML Encryption Working Group,
consisting of individuals and W3C members from Baltimore Technologies; BEA
Systems; DataPower; IBM; Microsoft; Motorola; University of Siegen; Sun
Microsystems; and VeriSign.

News Around the Web