Which mechanism does Web Services Security (WSS) use to provide confidentiality?

WSS ensures confidentiality at the message level by encrypting parts of the SOAP message using XML Encryption. This lets sensitive data inside the message be unreadable to anyone who doesn’t hold the correct decryption keys, even as the message travels through intermediaries or is stored. The encryption is applied to specific parts of the SOAP envelope (for example, the Body), and the keys are managed so that only the intended recipient can decrypt and read the content.

This is different from protecting the transport channel itself. Transport-layer security like TLS would encrypt the entire communication channel between two endpoints, but that protection ends at the channel; once the message is delivered or stored elsewhere, confidentiality of the message content isn’t guaranteed. IPsec operates at the network layer, securing packets between hosts, not the actual content of the SOAP message. Encrypting data at rest with AES protects stored data, not data in transit. Therefore, XML Encryption within WSS is the mechanism specifically designed to provide confidentiality within the message itself.