|< Day Day Up >|
Message Security Standards
Over the last decade, a number of different standards for messages protection have been developed. PKCS#7, PEM (Privacy Enhanced Mail), PGP (Pretty Good Privacy) and its variants, MOSS (MIME Object Security Services), different versions of S/MIME, XML Signature and XML Encryption are among the better known ones. However, not all of these enjoy the same level of adoption or have the same capabilities. In fact, some of these now have only historical significance. Others have been adopted in niche areas. We have already seen PKCS#7 used for storing certificate chains and certificate revocation lists in the chapter PKI with Java. PGP is widely used among non-business users to protect e-mail messages. S/MIME is supported in commercial products like MS-Outlook. XML-based security standards, such as XML Signature and XML Encryption, are somewhat new but offer significant flexibility and are likely to be widely adopted by XML-based applications.
In this chapter, we focus on XML Signature and XML Encryption. Toward this, we not only discuss these specifications but also look at a couple of Java libraries that implement them. Later on, in Chapter 11, Web Service Security, we use these to secure messages exchanged in Web service interactions.
You may wonder: If securing a message involves well-understood technologies such as digital signature and encryption, why do we need additional standards? This is a valid question and needs some explanation. Just applying digital signature and/or encryption to a message and handing it over to a recipient doesn't allow the recipient to decrypt and/or verify the signature. Additional information is needed regarding algorithms, keys, the order in which the cryptographic operations are applied, and the layout of various pieces of data. It is the job of message security standards to specify these details. In fact, even these standards alone may not be adequate for application-level security, for they do not address the issues related to the message exchange protocol.
|< Day Day Up >|