Secure Data Transmission EDI-INT AS1, AS2, AS3 Kevin Grant.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Taking the Mystery Out of AS2 Kim Zajehowski Aurora Technologies, Inc. AS2 Certificates SMIME/MIME MDNs Encryption Signing.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
6/1/20151 Digital Signature and Public Key Infrastructure Course:COSC Instructor:Professor Anvari Student ID: Name:Xin Wen Date:11/25/00.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
March 23, 2004 Joseph Conron Internet Commerce Corp
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Information Security. Information Security Requirements Confidentiality: Protection from disclosure to unauthorised persons Access control: Unauthorised.
Overview of Digital Signatures Introduction To Networks and Communications (CS 555) Presented by Bharath Kongara.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.
INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.
COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.
Secure Systems Research Group - FAU Patterns for Digital Signature using hashing Presented by Keiko Hashizume.
Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.
Cryptography 101 Frank Hecker
CSCI 6962: Server-side Design and Programming
1 Cryptography Cryptography is a collection of mathematical techniques to ensure confidentiality of information Cryptography is a collection of mathematical.
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Electronic Mail Security
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
CIS 1310 – HTML & CSS 12 E-Commerce Overview. CIS 1310 – HTML & CSS Learning Outcomes  Define E-commerce  Identify Benefits & Risks of E-Commerce 
Secure Electronic Transaction (SET)
Security Keys, Signatures, Encryption. Slides by Jyrki Nummenmaa ‘
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
CSCD 218 : DATA COMMUNICATIONS AND NETWORKING 1
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
AUCKLAND CODE CAMP 2008 Date: Sunday, 31 August 2008 Time: 9:00a.m.— 6:00p.m. Venue: Crowne Plaza Hotel Thinking in WPF Silverlight for developers WCF.
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Digital Signatures, Message Digest and Authentication Week-9.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Electronic Mail Security Prepared by Dr. Lamiaa Elshenawy
Network Security Celia Li Computer Science and Engineering York University.
Security SMIME IT352 | Network Security |Najwa AlGhamdi 1.
Copyright 2004 MayneStay Consulting Group Ltd. - All Rights Reserved Jan-041 Security using Encryption Security Features Message Origin Authentication.
April 20023CSG11 Electronic Commerce Authentication John Wordsworth Department of Computer Science The University of Reading Room.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
Secure Sockets Layer (SSL)
K E Y Plain text Cipher text Encryption Decryption
S/MIME T ANANDHAN.
Pooja programmer,cse department
ELECTRONIC MAIL SECURITY
ELECTRONIC MAIL SECURITY
Lecture 4 - Cryptography
The Secure Sockets Layer (SSL) Protocol
Electronic Payment Security Technologies
Presentation transcript:

Secure Data Transmission EDI-INT AS1, AS2, AS3 Kevin Grant

Goals of this Presentation Understanding Security Mechanisms Understanding Applicability Statements –MDNs –Secure Transmission Loop –AS1, AS2, AS3 Product Certification

AS1/AS2/AS3 Standards Applicability Statements 1 (AS1), 2 (AS2), & 3 (AS3) are the current specifications developed by EDI-INT for transporting data via the Internet. AS Standards specify how to exchange data, not how to process data. –AS1 defines how to perform secure file transfers via SMTP –AS2 defines how to perform secure file transfers via HTTP –AS3 defines how to perform secure file transfers via FTP Specify Security Services over a Specific Communication protocol with the introduction of Message Disposition Notifications (MDNs) to complete the Secure Transmission Loop

AS1/AS2/AS3 Options Encrypted or not encrypted Signed or unsigned Receipt or no receipt Receipt signed, or not signed

AS1/AS2/AS3 Message Flow Outgoing Message SMTP/ HTTP/ FTP Recipient Signed MDN back to sender with hash Message Encrypted with Recipient’s Public Key Signature/Hash Applied and Encrypted with Sender’s Private Key Signature/hash Decrypted with Sender’s Public Key Message Decrypted with Recipient’s Private Key Document hash is computed Computed hash compared with transmitted hash Incoming Message Validated

Security Mechanisms Three basic building blocks are used: Encryption is used to provide confidentiality, can provide authentication and integrity protection Hash algorithms are used to provide integrity protection, can provide authentication Digital signatures are used to provide authentication, integrity protection, and non- repudiation One or more security mechanisms are combined to provide a security service

Security Protocol A typical security protocol provides one or more services Services are built from mechanisms Mechanisms are implemented using algorithms

Hash Functions Hashing is the transformation of a string of characters into a shorter fixed-length value or key that represents the original string. It is used to index and retrieve items in a database because it is faster to find the item using the shorter hashed key than to find it using the original value.

Hash Functions It is also used in many encryption algorithms. –Creates a unique “fingerprint” or message digest. –Anyone can alter the data and calculate a new hash value –Message digest has to be protected in some way

Public-key Encryption Uses matched public/private key pairs (Asymmetric) Anyone can encrypt with the public key, only one person can decrypt with the private key

Cryptography – Digital Signatures Here’s where the public-key algorithm and the hashing algorithm work together:

Certificates A certificate is a public key that has been digitally signed by a trusted third party –Certificate Authority (CA). A Certification Authority (CA) guarantees a public key’s authenticity

MDNs (Message Disposition Notifications) Document acknowledgment –Non-repudiation of delivery (confirms the document WAS received and by whom) –Confirms that the recipient was able to decrypt –Gives a status message, as appropriate Contains the receiver’s computed hash for comparison against the one originally sent with the message MDN may be signed by the recipient of the original message Defined by your trading partner (optional)

MDN Request Headers The MDN is requested by the “Disposition- Notification-To” field found in the message header: From: AS2-Version: 1.1 AS2-From: AS2SENDER AS2-To: AS2RECEIVER Subject: G1 Test Case Message-Id: Disposition-Notification-To: Receipt-Delivery-Option: Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: multipart/signed; boundary="as2BouNdary1as2"; protocol="application/pkcs7-signature"; micalg=sha1

MDN Request Headers The “Receipt-Delivery-Option” field is used to request MDNs in an asynchronous manner. If this field is not present, the MDN is returning via the active HTTP session (AS2): From: AS2-Version: 1.1 AS2-From: AS2SENDER AS2-To: AS2RECEIVER Subject: G1 Test Case Message-Id: Disposition-Notification-To: Receipt-Delivery-Option: Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt-micalg=optional,sha1 Content-Type: multipart/signed; boundary="as2BouNdary1as2"; protocol="application/pkcs7-signature"; micalg=sha1

MDN Request Headers The “Disposition-Notification-Options” field determines whether the MDN is to be signed and identifies the preferred hash algorithm (SHA-1 or MD5): From: AS2-Version: 1.1 AS2-From: AS2SENDER AS2-To: AS2RECEIVER Subject: G1 Test Case Message-Id: Disposition-Notification-To: Receipt-Delivery-Option: Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt- micalg=optional,sha1 Content-Type: multipart/signed; boundary="as2BouNdary1as2"; protocol="application/pkcs7-signature"; micalg=sha1

The “Secure Transmission Loop” (STL) The originator sends a signed and encrypted document with a request for a signed receipt. The recipient decrypts the document, verifies the signature, and returns a signed receipt to the sender.

The “STL” In More Detail Sender signs and encrypts the data using S/MIME and sends requesting a signed receipt. Receiver decrypts the message and verifies the signature, resulting in verified integrity of the data and authenticity of the sender. The receiving organization returns a signed receipt (message disposition notification). This signed receipt contains the hash of the message from the received message, so sender knows message was verified and/or decrypted properly.

Receiving via AS1/AS2/AS3 (Inbound Documents) 1.Signed/encrypted document is received 2.Document is decrypted (using receiver’s private key) and hash is computed 3.Digital signature is checked to validate sender 4.Transmitted hash is decrypted (using sender’s public key) and compared to the “computed” hash 5.If the hashes are the same, the document is identical to the one transmitted 6.MDN is sent to confirm message status

Sending via AS1/AS2/AS3 (Outbound Documents) 1.Document is encrypted (using receiver’s public key) and hash is computed 2.Hash is encrypted (using sender’s private key) and attached to the digital signature block (which may or may not be encrypted) 3.Message (document + signature) is transmitted 4.Partner receives message and attempts to decrypt and validate 5.MDN is received confirming message status

AS1/AS2/AS3 Message Flow Outgoing Message SMTP/ HTTP/ FTP Recipient Signed MDN back to sender with hash Message Encrypted with Recipient’s Public Key Signature/Hash Applied and Encrypted with Sender’s Private Key Signature/hash Decrypted with Sender’s Public Key Message Decrypted with Recipient’s Private Key Document hash is computed Computed hash compared with transmitted hash Incoming Message Validated

AS1 - Sample Received: from gw.somecompany.com (gw.somecompany.com [ ]) by mail.softshare.com (8.9.1/8.9.1) with ESMTP id RAA29018 for ; Wed, 25 Feb :56: (PST) Message-ID: Date: Thu, 26 Feb :56:11 GMT Subject: 850:ORDERNO From: To: Disposition-Notification-To: Disposition-Notification-Options: signed-receipt- protocol=optional, pkcs7-signature; signed-receipt-micalg=optional, sha1, md5 Content-Type: application/pkcs7-mime; smime-type=enveloped- data; name=smime.p7m Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7m

AS2 - Sample POST /invoke/wm.EDIINT/receive HTTP/1.0 Host: :80 User-Agent: AS2 Company Server Date: Wed, 31 Jul :34:50 GMT From: AS2-Version: 1.1 AS2-From: "\" as2Name \"" AS2-To: Subject: G1 Test Case Message-Id: Disposition-Notification-To: Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt- micalg=optional,sha1 Content-Type: multipart/signed; boundary="as2BouNdary1as2"; protocol="application/pkcs7-signature"; micalg=sha1 Content-Length: 2464

AS3 - Sample Date: Wed, 31 Jul :34:50 GMT AS3-Version: 1.0 AS3-From: cyclone AS3-To: "trading partner" Message-Id: Disposition-Notification-To: ftp://host:port/mdnbox Disposition-Notification-Options: signed-receipt- protocol=optional,pkcs7-signature; signed-receipt- micalg=optional,sha1 Content-Type: multipart/signed; boundary="as3BouNdary1as3"; protocol="application/pkcs7-signature"; micalg=sha1 Content-Length: as3BouNdary1as3 Content-Type: application/edi-x12 Content-Disposition: Attachment; filename=rfc1767.dat [ISA...EDI transaction data...IEA...] --as3BouNdary1as3 Content-Type: application/pkcs7-signature [omitted binary pkcs7 signature data] --as3BouNdary1as3

AS2 Certification All ‘standards’ created equal? Based on clear public specifications that enjoy wide usage because of this Certifying commonly-used and well- documented standards causes time delays in implementation and adds unnecessary costs to the end product

Drummond Certification Founded in 1999 Drummond Group Inc. (DGI) is a privately held company that conducts interoperability and conformance testing DGI’s role is to administer the test

Open AS2 The OpenAS2 project is a collaborative effort to develop an open source application that implements the EDIINT AS2 Standard Self-paced, performed in-house, and the project itself does not profit from the testing process

Questions?