AS2 SMIME/MIME Encryption Certificates Signing MDNs Taking the Mystery Out of AS2 Kim Zajehowski Aurora Technologies, Inc. What is AS2? • More secure way of exchanging EDI data directly with your trading partners using certificates, encryption, and signing of documents over the Internet. • Stands for Applicability Statement 2 draft standard from the Internet Engineering Task Force for securely exchanging business documents over the Internet as noted on www.networkworld.com. • Can be a communication method that can replace VAN communications with your trading partner. • Uses digital certificates to secure EDI packets of data. • Sometimes referred to as HTTP Reverse Proxy by some AS2 solutions. AS2 Continued • Direct communications to your trading partner through the Internet. • Can also be via a VAN to your trading partner as AS2. Utilizes extended VAN services that provide the conversion for you. • Provides a reliable method in that you receive an MDN (Message Disposition Notification) telling you that your trading partner received the EDI packet. Note that this doesn’t replace your Functional Acknowledgements • The AS2 standard uses some of the most robust encryption and signature algorithms. • Operates only over networks running the TCP/IP protocol Envelopes • AS2 data is placed in an envelope containing AS2 identifiers for each party in the exchange of data. • Along with the envelope is a digital certificates within the data packet. • The AS2 envelope usually contains another envelope within it (ISA) with EDI data and ISA qualifiers and IDs. AS2 Flowchart ERP Solution E-mail Solution Provider Trading Partner system server Internet Terminology • • • • • • • • • • • • MIME/S-MIME Encryption Signing MDNs AS2 Identification Firewall Considerations Certificates Pros Cons AS2 solution selection Sample AS2 profiles Helpful websites MIME • MIME – as defined on Wikipedia - Multi-purpose internet mail extensions - defines mechanisms for sending other kinds of information in e-mail. • MIME is also a fundamental component of communication protocols such as HTTP, which requires that data be transmitted in the context of e-maillike messages even though the data might not (and usually doesn't) actually have anything to do with e-mail S-MIME • S/MIME as taken from Wikipedia (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. • Through the use of public key certificates, packets of information can be secure through this type of data packet. Encryption • A way of making a packet of data unusable without certificate keys by encrypting the data using one of several encrypting algorithm • Advanced Encryption Standard (AES) – AES 256 – AES 192 – AES 128 • Data Encryption Standard (DES) – DES 56 – DES3 168 (Recommended) • CAST5 128 • RC2 40 • RC2 64 • RC2 128 Signing • Way of further securing AS2 data packets is to sign the packets using one of several algorithms: • Secure Hash Algorithm – SHA1 160 (Recommended) • Message Digest Algorithm – MD5 128 • Race Integrity Primitives Evaluation Digest – RIPEMD 160 MDN • Message Disposition Notification • Communication packet used to tell parties of successful receipt of data packets (positive MDN) into partner’s AS2 solution. • Does not replace functional acknowledgement • No control numbers used • Type of MDN is usually dictated by trading partner Types of MDN Scenarios • Asynchronous – Allows for AS2 MDNs to be returned to the message sender over a different HTTP connection. – Usually used for larger files • Synchronous – Allows for AS2 MDNs to be returned over the same HTTP connection as the send of original message – There may be timeouts with low bandwidth situations • E-mail – Rarely used but available where the AS2 MDN is returned to a an email address • No MDN AS2 Identification • Each trading partner involved in AS2 communications is assigned an AS2 ID. • ID is company self generated. • It can be a company name with AS2 on the end of it or a company’s ISA qualifier concatenated to the ISA ID as the AS2 ID. • The ID is used on the outer envelope of the AS2 packet of data to be communicated. Firewall Considerations • Since this type of communications is over the Internet, you must secure your AS2 solution by limiting incoming communication traffic by port or by IP address and also allowing outbound traffic. • This can be the most challenging area as you are dealing with your own internal networks as well as your trading partners to successful communicate via AS2. Digital Certificates • A digital certificate (*.cer) is required for both parties exchanging AS2 data via the Internet. • X.509 – standard • There are other certificates that might be used as well (*.pfx). • Each party much share each others certificate as this further secures the packet of data to be communicated. Along with encryption, data is also transmitted with the valid digital certificates for the sending party and receiving party. • Note that when exchanging AS2 digital certificates that they do not have to be signed or generated by a signing authority (ie. Verisign). It can be a self signed certificate through your AS2 solution if they offer that option. • Note when exchanging certificates via e-mail, you must change the extension on the file from *.cer to *.txt or zip it to send to your trading partner. Many e-mail servers will strip the *.cert attachments when being e-mailed. AS2 Solution Selection • Know your potential AS2 trading partners. • Some may require you to utilize a Drummond certified solution (i.e. Target) • Some may be more relaxed with the Drummond requirement . • Evaluate what your future communication needs as you may be able to find a solution that can support multiple communication protocols (FTP, AS1, AS2, etc.) • You may want to evaluate whether it is cost feasible to add a service to your existing VAN for AS2 customers. Many VANs offer a service to take your EDI transactions and transform them into AS2 to your trading partner. Pros • Direct communications with trading partners no VAN charges • Faster communications and more timely • Control is in your hands and your trading partner’s hands Cons • May be required to only utilize Drummond certified solutions if your AS2 trading partner community pushes it • The responsibility is on you and your trading partners to ensure reliable communications at all times. Monitoring software on a daily basis. • Must monitor for all digital certificates for company side as well as trading partner side to ensure you have loaded the most current and they do not expire. Sample AS2 Customer Sheet Customer AS2 Information Customer Contact Name: Phone: Email: AS2 Name If your company already uses an AS2 Name provide it here, otherwise you can choose to use your QUAL/ID as AS2 NAME such as 129498381009. AS2 URL or IP Such as http://as2.companyname.com/as2 or http://666.32.32.32:9080/msgsrv/as2 Message Format Type How do you want the message to be sent Signed/Encrypted/Plain text (Mime)? Encryption Algorithm If you have selected Encrypted, what Encryption format do you prefer? Signing Algorithm If you have selected Signed, what Signing format do you prefer? Receipt Type Does your company require an MDN notification to be sent back upon receiving the AS2 message from you? List your Test Ids: List your sender/receiver ID’s/Qual’s you intend to use for testing. List your Production Ids: List your sender/receiver Ids (not your trading partners) used for production. MIME S/MIME Encrypted S/MIME Signed S/MIME Signed/Encrypted (Recommended) RC2 40 RC2 64 RC2 128 AES 128 AES 192 AES 256 DES 56 DES3 168 (Recommended) CAST5 128 SHA1 160 (Recommended) MD5 128 RIPEMD 160 Signed (Recommended) Unsigned None Sample AS2 Customer Sheet AS2 Profile Information Trading Partner Information Date 10/31/2010 Company Name: ACME COMPANY Contact Name: Jane Smith Title: EDI Coordinator Phone: 401-555-5555 FAX: Email: jsmith@acme.com EDI Qualifier/ID: ZZ/401555555 AS2 Identifier: ACMEAS2 AS2 URL: http://as2.acme.com:1234/as2 Backup AS2 URL (optional): Encryption Algorithm: DES3 168 WITH SHA1 AS2 Authentication Name/Password (optional): Outbound IP Address: ABC AS2 Information Production URL: http://www.as2edi.abc.com:8080/as2 AS2 Identifier: ABCAS2 (Case sensitive) Public Encryption Key Location: Attached Synchronous Signed MDNs Encryption Algorithm: AES128 (Preferred) 3DES (Alternate) Signing Algorithm: SHA-1 Compression: All Data Retry policy ABC Company has improved hardware, software and procedures to ensure a high level of AS2 availability. However, ABC Company can not guarantee that every AS2 connection attempt will succeed. Therefore, ABC highly recommends that you automatically retry AS2 connections at least three times with at least one minute between retries. This will be beneficial to users due to not having to manually retransmit when a connection does not succeed the first time. Helpful Websites AS2 Drummond Certified Software http://www.drummondgroup.com/html-v2/as2companies.html Open Source AS2 Providers http://sourceforge.net/search/?type_of_search=soft&words= as2 AS2 Basics http://www.as2basics.co.uk AS2 Secures Documents Using the Web http://www.networkworld.com/news/tech/2002/1209techup date.html