AS2 Data Communication for Collaborative Commerce

Data Pools 3 GS1 Global Registry " EPCglobal recommends AS2 3 for EPC/RFID data exchange via EPCIS 7 AS2 Is Secure - ensures c PAIN d 3 P rivacy 3 Content is Hidden 3 A uthentication 3 Sender identity verified 3 I ntegrity 3 Content can not be Altered 3 N on-repudiation of Receipt 3 Sender can prove Receiver got the exact content which was sent 8 How Does AS2 Work? " AS2 uses Public/Private Key Encryption & Digital Signatures to Secure Data (PKI) " AS2 uses HTTP to Transport Data " AS2 sends a Digitally Signed Receipt ( a cMDN d) for each Message to Confirm Successful Delivery Dave Darnell Dave.Darnell@systrends.com Systrends Arizona EC/EDI Roundtable Avoiding the 800 Lb. Gorilla: Choosing the Right Security Solution for Your Application PKI = Public Key Infrastructure " Encryption " Digital Signature " Digital Certificate (Digital ID) " Certificate Authorities " Certificate Revocation Lists " Directory Services " AUTHENTICATION " INTEGRITY " NON-REPUDIATION (origin/receipt) " PRIVACY / CONFIDENTIALITY PAIN E DS Symmetric Keys Sender Document Encoded Document Encoded Document Receiver Document 3DES 3DES Private Key Cryptography Source: Premenos " Requires that both parties to a digital conversation know the same key " The identical key is used for both encryption and decryption Asymmetric Key Public Key Cryptography Source: Premenos " No need to communicate a private key in advance " Each party communicates a public key which is used to encode messages to each other Document Encoded Document Encoded Document Document Private Public Sender Document Encoded Document Encoded Document Receiver Document Document Encoded Document Encoded Document Document Symmetric Keys Asymmetric Key DES DES Private Public Source: Premenos Symmetric vs.<br><br> Asymmetric Attacks on Encryption Security: 1. Cryptanalysis --The science of cbreaking d or cattacking d encryption algorithms by exploiting a weakness in the algorithm design. 2.<br><br> Brute Force Attack --known plaintext attack, tries every key Key Length (in bits) Year 40 56 64 80 112 128 1995 .2 sec 3.6 hrs 38 days 7000 yrs 10 13 yrs 10 18 yrs 2005 2 ms 2 min 9 hrs 70 yrs 10 11 yrs 10 16 yrs 2015 .02 ms 1 sec 5.5 min 251 days 10 9 yrs 10 14 yrs 2030 .02 mcs 1 ms .3 sec 6 hrs 10 6 yrs 1 0 11 yrs Times for Hardware Brute-Force Attack Given $1,000,000 in Equipment Notes: " This chart is for Symmetric Keys. Multiply chart fs key length by 10 to approximate Asymmetric Keys " Based on Moore's Law (published in an article 19 April 1965 in Electronics Magazine) : computer power increases exponentially over time Digital Signature " A method of assuring that a message was sent by the person claiming to send it (message cauthentication d) " The message is encrypted with the sender fs private key " Recipient decrypts using the sender fs public key Document Digital Signature Document Private Public CONFIRMED Digital Signature Document Document Digital Signature One Way Hash Functions " Converts an cany length d message into fixed length chash d " The chash d uniquely identifies the message (like a fingerprint). -MD5 (Message Digest 5) function that produces a 128 bit hash value.<br><br> Considered compromised. - SHA-0 (Secure Hash Algorithm -0) is a 160 bit hash standard published by NIST (National Institute of Standards and Technology) in 1993. Considered more secure than MD5 - SHA-1 (Secure Hash Algorithm -1) is SHA-0 with a more secure variation of the SHA-0 algorithm - SHA-2 (Secure Hash Algorithm -2) NIST published four additional hash functions in the SHA family, named after their digest lengths (in bits): SHA-224, SHA-256, SHA-384, and SHA- 512.<br><br> Digital Signature of the MIC " Authentication of sender " Integrity of message assured " MIC encrypted with Private Key of Sender " Supports Non-Repudiation of Origin Document MIC Private Hash Function Digital Signature Digital Signature Private Digital Certificates " A message which supports the use of a digital signature " Guarantees that the public key of the sender is indeed the property of the identified person " X.509 = PKI " PGP = cWeb of Trust d Certificate Issuing Authority " An organization which issues digital certificates (digital ID fs). " Must be widely known and trusted " Must have well defined methods of assuring the identity of the parties to whom it issues digital certificates. X.509 Digital ID Certificate Authorities Supreme Being United Nations United States Government Verisign, USPS, Banks, Credit Cards Netscape Secure Servers, Clients, Individuals, etc Certificate Authority Hierarchy VeriSign Public Certificate Services Personal presence via certified registrars or authorizing docs Class 1 Unique e-mail with return address verified Casual WWW Class 2 On-line third party proof / verification Subscriptions Intra-company comm.<br><br> Class 3 Personal Banking Inter-company comm. Class 4 Personal presence & investigation High-end financial transactions Approval Process Typical Applications Certificate Revocation List " A list or table of all known Certificates that have been revoked and declared invalid Directory Services-PKI " Centralized Database of X.509 Certificates " X.500 vs LDAP (Lightweight Directory Access Protocol) 28 AS2 Hybrid Encryption Concepts Secret Key Sender Receiver Secret (Symmetric) Key Secret (Symmetric) Key Secret key encrypts faster than public/private key, Use the Secret key 1 time only to encrypt and then decrypt the data. Need to prevent others from finding out the Secret key 29 AS2 Hybrid Encryption Concepts Public/Private Key Pair Sender Receiver Sender 9s Private Key Sender 9s Public Key Receiver 9s Private Key Receiver 9s Public Key The Private key is linked to the Public key.<br><br> Sender uses their Private key to cSign d the data 3 to prove it came from them. The Sender uses the Receiver fs Public key to encrypt just the Secret key. 30 AS2 Hybrid Encryption Concepts Public/Private KeyPair Sender Receiver Sender 9s Private Key Sender 9s Public Key Receiver 9s Private Key Receiver 9s Public Key Receiver uses their Private key to decrypt the Secret key Receiver uses the Secret key to decrypt the data Receiver decrypts and validates the digital signature with the Sender fs Public key 31 AS2 Hybrid Encryption Concepts Public/Private Key Pair Sender Receiver Sender 9s Private Key Sender 9s Public Key Receiver 9s Private Key Receiver 9s Public Key Exchange Public Keys Sender 9s Public Key Receiver 9s Public Key AS2 uses both a Secret key and Public/Private keys Push/Pull Protocols AS3, AS4, and ebMS v3 Are PUSH/PULL Protocols X12C EDIINT work group expanded the guideline to include AS3.<br><br> Why? AS1 uses SMTP (e-mail) for transport and AS2 uses HTTP. AS3 uses FTP.<br><br> FTP is a robust transport protocol and particularly useful and efficient in exchanging very large files. AS3 prescribes the use of cFTP Security Extensions d (RFC 2228). AS3 allows cpush - pull d server configurations Push/Pull Protocols eAS3 allows for cpush - pull d server configurations f.<br><br> What does this mean and why is it important? AS3 allows for a hosted server , either third party or trading partner. cPush - pull d allows trading partner communities to utilize a cHub d hosted server and eliminates the need for each trading partner to have a 24x7 Internet Server (requirement of AS2) Push/Pull Protocols Why AS4?<br><br> AS4 does not replace AS2 AS4 is a Web services based protocol The complexity of Web services has not been addressed nor has interoperability been achieved AS4 brings AS2 simplicity to Web services AS4 brings interoperability to Web services through comprehensive interop testing by DGI Organizations that are heavily invested in AS2 will continue to use AS2 AS4 will help organizations that are heavily investing in Web Services but need simplicity and interoperability Provides B2B vendors an on-ramp to Web services based B2B solutions that have otherwise resisted What is AS4? An open standard for the secure and payload-agnostic exchange of B2B documents using Web services Maps the AS2 functional requirements onto the WS-* stack using ebMS 3.0 as a leverage point Constrains the ebMS v3.0 specification (and its underlying specifications) for message packaging, transport, security, exchange patterns, and business non-repudiation AS4 Benefits Summary Web services landscape lacks a B2B messaging specification that has the simplicity and elegance of AS2 Simplification of Web services for B2B breeds an environment whereby the likelihood for interoperability become achievable As SOA and Web services deployments becomes more pervasive, the opportunity for B2B communication on these platforms will increase New markets that are Web services centric can benefit from the AS2 success story AS4: Where Are We? ebMS TC has approved a draft profile document that has been submitted to OASIS for public review AS4 Profile expected to be released as a Committee Specification in June 2009 DGI interoperability certification event to follow starting September 2009 AS2 Data Communications for Collaborative Commerce The Business Case for AS2 40 How do EDI, XML and Data Sync fit in?<br><br> " Enterprise level communication protocol "AS2 can transport cAny Data d format 3 EDI (810, 820, 850 etc.) 3 XML (incl. GDSN XML) 3 Flat files 3 Binary files 3 excel, etc. " Global Data Sync 3 Uses AS2 between data pools and with the GS1 Global Registry 41 What does AS2 offer a business?<br><br> "Direct eCompany to Company f data transfer (vs. eStore and Forward f with VANs) " Faster data transfer 3 based on the size of the eInternet Pipe f to your ISP " Secure data transfer " Proof of delivery for documents 42 Implementation Considerations " Permanent internet connection " Server available 24 / 7 " Know company security policies 3 Allow external access to DMZ or intranet? " Know firewall & DMZ architecture " Understand software scalability, operational manageability and licensing 43 Implementation Considerations " Multiple internet service providers " Self signed or purchased public/private key certificates " High availability server " Load balancers " Tight integration with EDI translator, XML parser and or internal messaging bus 44 Operational Considerations " Monitoring status of server, software and message queue " Initial startup and ongoing support for trading partners " Consider compression for large or even all messages (part of AS2 standard) 45 Lessons Learned Keys to successful Implementation " Architecture " Issue resolution " Support AS2 Implementation / Architecture " Segmented DMZ for improved security " Distributed environment for AS2 servers " Security requirements to protect AS2 partners " System monitoring tools " Separate Q & A system to test changes with trading partners 46 AS2 Implementation / Close " Architecture = Successful AS2 implementation " Support tools = Efficient business operation " Architecture + Support Tools = Issue Resolution 47 AS2 Data Communications for Collaborative Commerce AS2 Case Study: Enabling Financial EDI BoA ANSI ASC X12 820 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 D ACH: CTX - PAYMENT & REMITTANCE SENT VIA ACH ST*820*790005~ BPR*C*70760.49*C*ACH*CTX*01*071923284*DA*123456789*2345678901**01*121000358*DA*3456789012*20020726~ TRN*1*999984EA1~ REF*TN**CORP PMT~ N1*PR*PAYOR NAME~ N1*PE*PAYEE COMPANY NAME INCORPORATED~ ENT*1~ RMR*IV*1024274**40277.58*40277.58~ DTM*003*20020726~ RMR*IV*1024604**30482.91*30482.91~ DTM*003*20020725~ SE*12*790005~ **Note**: Remittance structure may vary based on your particular business needs ACH: CCD - PAYMENT ONLY SENT VIA ACH; NO REMITTANCE ST*820*790009~ BPR*D*70760.49*C*ACH*CCD*01*012345678*DA*123456789*234567890**01*121000358*DA*3456789012*20020726~ TRN*1*998881IA1~ REF*TN**CORP PMT~ N1*PR*PAYOR NAME~ N1*PE*PAYEE COMPANY NAME INCORPORATED~ SE*7*790009~ BoA Internet EDI Data Exchange with Bank of America over the Internet is offered using these methods: " HTTPS " SSHFTP 3 File Transfer Protocol with SSH2 encryption " FTP 3 File Transfer Protocol with PGP encryption " ConnectDirect with Secure+ " AS2 3 IETF EDIINT protocol (Applicability Statement 2) BoA Internet EDI Bank of America uses Sterling Connect:Enterprise Unix 2.2 and Verisign digital certificates to support AS2 transmissions Client Requirements: " Internet Connection " AS2 software.<br><br> BoA interoperates with many AS2 distributions that have been certified by the Drummond Group " Digital Certificate. May be self-signed or authority signed Transmitting Files: " You must initiate AS2 transmissions to BoA, and allow BoA to intiate transmissions to your servers BoA Internet EDI File Size Limitation " Files must be less than 50 MB Integrity Control " BoA AS2 uses S/MIME encryption " BoA and its trading partners use digital signatures to authenticate BoA Internet EDI Message Disposition Notification (MDN) An MDN acknowledges successful receipt and decryption of the transmission. The MDN is generated by the receiver and returned to the sender.<br><br> " Synchronous (sync). The MDN is sent across the same HTTP connection as the data file. i.e.<br><br> the sender initiates an AS2 transmission, transfers data, and then the receiver responds with an MDN (without breaking the initial HTTP connection) " Asynchronous (async). The MDN is sent across a different HTTP connection after the initial data file transmission. i.e.<br><br> the sender initiates an AS2 transmission, transfers data, and disconnects. The receiver then initiates an AS2 transmission and responds with an MDN. NOTE: BoA supports both types of MDNs (synchronous MDN is most common) Energy Co.<br><br> Implements BoA Internet EDI 55 Questions? Dave Darnell eTG Co-Chair Systrends T 480-756-6777 x201 C 602-432-3353 E Dave.Darnell@systrends.com W www.systrends.com

less