As more and more business transactions are conducted electronically, for example using the Internet, techniques for securing this electronic commerce are sought. Some of the security concerns related to electronic commerce are confidentiality of communications, authentication of the communicating entities, and non-repudiation. Confidentiality of communications prevents the disclosure of the content of communication to third parties. Authentication assures that entities are who or what they claim to be. Non-repudiation assures that a client who has requested and received goods and/or services does not later deny requesting and/or receiving the goods and/or services.
Public key infrastructure (PKI) may be used to encrypt a message using a specific encryption algorithm along with a first encryption key and later decrypting the message using the same encryption algorithm with a second encryption key. More particularly, the first encryption key is a private key which is not shared with any parties, and the second encryption key is a public key which is shared with the party to whom the encrypted message is directed. The public and private key are a related pair of numbers or pair of data strings which are chosen so that the following encryption equation is satisfied: Message=PublicKey[PrivateKey(Message)]. The public and private key may be referred to as a public-private encryption key pair. This equation indicates that encrypting the message using the encryption algorithm and the private key and then encrypting this result using the encryption algorithm and the public key results in the original message. It is the nature of the public and private keys that the private key cannot be readily derived from knowledge of the public key. Software applications or programs are available for selecting public and private key pairs. The terms encryption and encryption key as used herein may refer to any of a variety of methods, such as for example private key only encryption and public-private key encryption schemes, for securing messages using techniques presently known or hereafter developed to keep all or some of the message content private.
A digital signature is a block of data created by encrypting using the public key. For example, the digital signature may be created by encrypting a message using the encryption algorithm and the public key. This signature may then be appended to the end of the message and the message plus signature encrypted and sent to the receiver. The receiver decrypts the message plus signature using the same encryption algorithm and the public key, obtaining the message and the signature. The receiver then decrypts the signature using the same encryption algorithm and the public key to obtain a copy of the message. If the message and the copy of the message match, everything is in order. This operation can be represented by the following encryption equations:                Sa=Pva(M): form the digital signature Sa by encrypting the message M with the private key Pva of party A        Ta=Pva(M,Sa): form the transmission Ta by encrypting the concatenation of the message M with the digital signature Sa using the private key Pva of party A        M, Sa=Pba[Ta]=Pba[Pva(M,Sa)]: decrypt the transmission Ta sent by party A by encrypting the transmission Ta with the public key Pba of party A to obtain the message M and the digital signature Sa.        M=Pba(Sa): decrypt the digital signature Sa with the public key Pba of party A. If the equality does not hold, then the transmission Ta was tampered with and may be untrustworthy.This example shows one way in which a digital signature may be created. Other methods of creating a digital signature may be used. For example, a digest of a fixed length may be calculated over an entire message and this digest may be substituted in the place of the message M in the encryption equations above. The use of a digest may provide the needed indication of message integrity, i.e., freedom from tampering, without doubling the length of the message. For longer messages this efficiency may be desirable. The digital signature is unforgeable in that the private key is required to produce the digital signature and the private key is unknown to others.        
A digital certificate provides a secure means for providing an entity's public key. Digital certificates rely on trusted certification authorities (CAs) which receive requests for and issue digital certificates. CAs are trusted because they are bound by legal agreements to create only valid and reliable digital certificates. An X.509 digital certificate includes a version identifier which identifies which version of the X.509 digital certificate standard was employed in creating the digital certificate, and a serial number uniquely identifying the digital certificate within the issuing CA. The certificate also includes a signature algorithm identifier identifying the signature algorithm used by the CA to sign the digital certificate, an issuer name identifying the CA which signed the digital certificate, and a validity period defining for what time period the digital certificate is valid. The certificate also includes a subject name of the entity whose public key is contained in the certificate, a subject public key information identifying the encryption algorithm and the public key of the entity to whom the digital certificate is issued, and the digital signature of the issuing CA. The digital signature of the issuing CA is calculated over the rest of the digital certificate using the public key of the CA. The digital certificate is created by the issuing CA when a qualified requestor requests the digital certificate and provides the necessary information. The CA may retain a list of digital certificates, termed a certificate revocation list (CRL), that it earlier issued but has since revoked.
The Organization for Advancement of Structured Information Standards (OASIS) Web Services Security: SOAP Message Security specification describes enhancements to simple object access protocol (SOAP) messaging to provide for message integrity and confidentiality. This specification is widely supported in various official versions and draft versions by vendors of third party applications which access web services.