XML encryption overview

XML encryption is a security mechanism that assures the data confidentiality of transmitted messages. You can encrypt an entire message or choose to encrypt onlycertain elements of the message. When a SOAP message is encrypted, only a service that knows the appropriate key can decrypt and read the message.

Encryption is the process of coding clear text to create ciphertext, and decryption is the process of decoding ciphertext to restore the clear text. Complete message confidentiality is achieved when information at rest and in transit cannot be accessed by unauthorized parties. When information is at rest, such as in a database, a strong access control policy can be used for confidentiality. When information is in transit, you can use a secured transport channel (such as HTTPS) for communication. Or, you can encrypt a message (or parts of the message) so that the message is indecipherable even in transit from one secure endpoint to another. The XML Encryption Syntax and Processing specification defines a process for encrypting data and representing the result in XML. The data can be arbitrary data (including an XML document), an XML element, or XML element content. When data is encrypted, the result is an EncryptedData element, which either contains or references the cipher data.

There are two types of encryption: symmetric key encryption and asymmetric (public) key encryption. These two types of encryption can also be used with each other. Symmetric key encryption uses the same key to encrypt and decrypt a message. The key is a secret key because it is kept (as a shared secret) between the two involved organizations (the sender and receiver). Symmetric key encryption is often much faster than asymmetric encryption because asymmetric encryption requires more intensive computational efforts. Symmetric encryption is secure if you control both endpoints and trust the partners to whom you give the key, and you securely distribute the key to your partners.

Asymmetric (public) key encryption uses two different (but easily distributable) keys for encryption and decryption: a private key (which is known only to its owner) and a public key (which the owner makes available to their partners). The private and public keys are mathematically linked in an X.509 digital certificate. In addition to providing data confidentiality through encryption, you can use the certificate public key to verify digital signatures that are created by the message sender.

The public key is used to encrypt a message to ensure that only the person with the corresponding private key can decrypt the message. Or, the message can be encrypted with the private key and then decrypted with the public key. B2B Advanced Communications supports both symmetric and asymmetric encryption. For symmetric encryption, both you and your partner share a secret key outside the SOAP message communication. Then, your partner encrypts a message with this key and B2B Advanced Communications decrypts the message with the same shared key. With asymmetric encryption, your partner uses the public key (of an X.509 certificate) to encrypt a message and then, since you are the owner of the private key (of that X.509 certificate), B2B Advanced Communications can decrypt the message.

When you use digital certificates, if the certificate has a private key, B2B Advanced Communications validates the public-private key pair to ensure that the public-private key pair matches. B2B Advanced Communications encrypts data with the public key and then ensures that the data can be decrypted with the private key.