A Comprehensive Presentation to XML Signature and Encryption A. A. Abd El-Aziz Research Scholar Dept. of Information Science & Technology Anna University Email: zizoah2003@gmail.com A. Kannan Professor Dept. of Information Science & Technology Anna University Email: kannan@annauniv.edu Abstract—XML has been widely adopted for information exchange across various networks due to flexibility providing common syntax for messaging systems. XML documents may contain private information that cannot be shared by all user communities. Therefore, XML Security has a great importance to the overall security of the distributed systems. In this paper, we provide a comprehensive tutorial on XML security stan- dards. The presented standards include XML signature and XML encryption. We describe how to create and verify XML signature and how to encrypt and decrypt XML data. This paper should serve as a roadmap for future research and basis for further exploration of relevant scientific literature and standard specifications. Keywords: XML Security, XML Encryption, XML Signature I. I NTRODUCTION According to the range of the security context, we differen- tiate between Point-to-Point security and End-to-End security. The former ensures the security between two adjacent nodes and the latter ensures the security from the initial sender until the desired final receiver, which is more secure for Web services. SSL provides a Point-to-Point security. SSL is not suitable for the transmission modes that will realize in the future of the Web service, such as TCP (Transmission Control Protocol), FTP (File Transfer Protocol), and messages formation. SSL only can carry on the encryption to the complete information, but cannot have the choice to carry on the encryption to the partial information. It provides confiden- tiality, authentication, and integrity. On the other hand, XML security is a representative of an End-to-End security. XML security is flexible for the application specifically for Mobile web services that demand more flexible, customizable, and better-optimized security schemes. XML security provides confidentiality (ensuring that only the intended receiver will read the transmitted document and others cannot access or copy the data), integrity (no change for the transmitted doc- ument from the source to the final destination), authenticity (determining that a user’s claimed identity is genuine), and non-repudiation (the sender cannot disclaim his responsibility for sending the document) [3], [8], [13], and [15]. Therefore, the concern of XML security has been raised to a significant level focusing on methods and approaches to secure XML messages exchanged. This paper presents the XML security technologies and introduces an overview of how they integrate with XML in such a way as to maintain the advantages and capabilities of XML while adding necessary security capabilities. The rest of the paper is organized as the following: Section 2 represents XML signature. In Section 3 , we present XML encryption. Section 4 summarizes the conclusion. II. XML SIGNATURE XML signature (called XMLDsig, XML-DSig, or XML- Sig) defines an XML syntax for digital signatures and is de- fined by W3C and IETF (The Internet Engineering Task Force) in 2002 [2] to create a highly extensible signature syntax that is tightly integrated with existing XML technologies. XML signature is a digital signature obtained by applying a digital signature operation to XML resources. XML signature is not limited to signing XML resources, however, as it can also be used to sign binary resources such as a JPEG-file. It provides similar functionality as PKCS#7 [7]. The existing technologies allow us to sign only a whole XML document. However, XML signature provides a means to sign the entire document, parts of a document, and multiple signatures written in the same document. This functionality is very important in a distributed multi party environment, where the necessity to sign only a portion of a document arises whenever changes and additions to the document are required. XML signature has been used to solve security problems, such as falsification, spoofing, and repudiation by ensuring confidentiality, integrity, authenticity, and non-repudiation.