Secure Data Transmission,EDI-INT AS1, AS2, AS3 Kevin Grant,Goals of this Presentation,Understanding Security Mechanisms Understanding Applicability Statements MDNs Secure Transmission Loop AS1, AS2, AS3 Product Certification,AS1/AS2/AS3 Standards,Applicability Statements 1 (AS1), 2 (AS2), & 3 (AS3) are the current specifications developed by EDI-INT for transporting data via the Internet. AS Standards specify how to exchange data, not how to process data. AS1 defines how to perform secure file transfers via SMTP AS2 defines how to perform secure file transfers via HTTP AS3 defines how to perform secure file transfers via FTP Specify Security Services over a Specific Communication protocol with the introduction of Message Disposition Notifications (MDNs) to complete the Secure Transmission Loop,AS1/AS2/AS3 Options,Encrypted or not encrypted Signed or unsigned Receipt or no receipt Receipt signed, or not signed,AS1/AS2/AS3 Message Flow,Outgoing Message,Document hash is computed,Computed hash compared with transmitted hash,Incoming Message Validated,Security Mechanisms,Three basic building blocks are used: Encryption is used to provide confidentiality, can provide authentication and integrity protection Hash algorithms are used to provide integrity protection, can provide authentication Digital signatures are used to provide authentication, integrity protection, and non-repudiation One or more security mechanisms are combined to provide a security service,Security Protocol,A typical security protocol provides one or more services Services are built from mechanisms Mechanisms are implemented using algorithms,Hash Functions,Hashing is the transformation of a string of characters into a shorter fixed-length value or key that represents the original string. It is used to index and retrieve items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value.,Hash Functions,It is also used in many encryption algorithms. Creates a unique “fingerprint” or message digest. Anyone can alter the data and calculate a new hash value Message digest has to be protected in some way,Public-key Encryption,Uses matched public/private key pairs (Asymmetric) Anyone can encrypt with the public key, only one person can decrypt with the private key,Cryptography Digital Signatures,Heres where the public-key algorithm and the hashing algorithm work together:,Certificates,A certificate is a public key that has been digitally signed by a trusted third party Certificate Authority (CA). A Certification Authority (CA) guarantees a public keys authenticity,MDNs (Message Disposition Notifications),Document acknowledgment Non-repudiation of delivery (confirms the document WAS received and by whom) Confirms that the recipient was able to decrypt Gives a status message, as appropriate Contains the receivers computed hash for comparison against the one originally sent with the message MDN may be signed by the recipient of the original message Defined by your trading partner (optional),MDN Request Headers,The MDN is requested by the “Disposition-Notification-To” field found in the message header: From: mrAS2as2.com AS2-Version: 1.1 AS2-From: AS2SENDER AS2-To: AS2RECEIVER Subject: G1 Test Case Message-Id: Disposition-Notification-To: mrAS2as2.com Receipt-Delivery-Option: mailto:AS2as2.com Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: multipart/signed; boundary=“as2BouNdary1as2“; protocol=“application/pkcs7-signature“; micalg=sha1,MDN Request Headers,The “Receipt-Delivery-Option” field is used to request MDNs in an asynchronous manner. If this field is not present, the MDN is returning via the active HTTP session (AS2): From: mrAS2as2.com AS2-Version: 1.1 AS2-From: AS2SENDER AS2-To: AS2RECEIVER Subject: G1 Test Case Message-Id: Disposition-Notification-To: mrAS2as2.com Receipt-Delivery-Option: mailto:AS2as2.com Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: multipart/signed; boundary=“as2BouNdary1as2“; protocol=“application/pkcs7-signature“; micalg=sha1,MDN Request Headers,The “Disposition-Notification-Options” field determines whether the MDN is to be signed and identifies the preferred hash algorithm (SHA-1 or MD5): From: mrAS2as2.com AS2-Version: 1.1 AS2-From: AS2SENDER AS2-To: AS2RECEIVER Subject: G1 Test Case Message-Id: Disposition-Notification-To: mrAS2as2.com Receipt-Delivery-Option: mailto:AS2as2.com Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: multipart/signed; boundary=“as2BouNdary1as2“; protocol=“application/pkcs7-signature“; micalg=sha1,The “Secure Transmission Loop” (STL),The originator sends a signed and encrypted document with a request for a signed receipt. The recipient decrypts the docum