Comparison of Transport-Layer Security and Message-Layer Security

Transport-layer security secures the network communication between the communication partners by encrypting the data that is being transmitted over the network. In addition, data integrity, authentication, and confidentiality can be achieved. Transport-layer security typically uses digital signatures, PKI certificates, and secure hash functions to prevent messages from being camouflaged, passwords from being hacked, and transactions from being denied.

In situations where an environment consists of several hops, the communication between each hop has to be considered separately in terms of transport-layer security:

An explanation of this figure is provided in the surrounding text. — Figure 1. Connections Between Web Service Requester and Web Service Provider

As shown in Figure 1, the connections between each hop might use different transport-layer security methods (or even no transport security for some connections). Transport-layer security does not span multiple hops. This means, an intermediate hop might be able to read the message. To achieve end-to-end security, you must therefore use message-layer security. Using message-layer security, the message itself is secure and does not change when sent over multiple hops.

Transport-layer security can be implemented using any of the industry-wide protocols, such as:

SSL/TLS (Secure Socket Layer/Transport Layer Security), which is denoted by HTTPS.
VPN/IPSec (which is transparent to applications).

Message-layer security includes security-related information in the SOAP message (or more specifically, within the SOAP header).