Apply Digital Signatures on AS2 Messages Without HTTPS
Overview
Although you can run AS2 over HTTPS in order to provide encryption, authentication, data integrity, and non-repudiation to your EDI exchanges, it's not necessary. You can still get the same level of protection if you use AS2's built-in support for encryption and digital signatures. We already talked about AS2 encryption in a previous post, so this time, let's focus on digital signatures.
Digital signatures are essential to secure communications. They provide authentication, data integrity, and non-repudiation. Basically, they enable both parties to:
- Ensure they are actually transacting with the party they meant to transact with (and not an impostor);
- Determine whether the message or file they received was altered along the way; and
- Prohibit the other party from ever denying that the message or file they sent originated from them.
While most secure file transfers rely on SSL/TLS (or, in the case of SFTP, SSH) for these security features, some protocols - like AS2 - readily support them.
The great thing about using AS2 digital signatures is that you no longer need to go to a Certificate Authority (CA). That's right. In this case, you can actually cut out the middle man and the fees that come with them.
But how is this possible? Won't CA-less AS2 transaction be less secure? Actually, no. The reason you go to a CA to obtain a digital certificate is so that a (presumably) reliable third party can verify and assert that:
- The information found on your certificate is true, and
- The certificate, as well as the public key attached to it, belongs to you (more specifically, that it's bound to your site).
That way, people and businesses who want to transact with you can be assured that they will be doing so in a secure manner. The presence of a third party is necessary if the two parties who enter into transactions with each other neither trust nor know the other party prior to the transactions - as in the case of people who transact with online banks, ecommerce websites and so on.
However, in the case of two trading partners, it's understood that there's already a pre-established relationship. I don't think you'll ever engage in an AS2 enchange with a trading partner if you don't have prior knowledge about that trading partner. Because you already have an established relationship with your trading partner, it would be easy for you to exchange public key digital certificates.
Once you've shared your digital certificate with your trading partner, your partner could then upload that certificate and its accompanying public key to their AS2 server. You can likewise do the same thing with their digital certificate.
After that, you can then digitally sign AS2 messages with your private key and then transmit the digitally signed messages to their AS2 server.Upon receipt of a digitally-signed AS2 message, your trading partner's server can then use the public key they imported to:
- Authenticate the source of the message. By design, that public key will only be able to verify a document digitally signed by its corresponding private key, which should be solely in your possession;
- 'Extract' the message digest and allow the server to compare the digest with the hash of the message for data integrity checking; and
- Render the transaction secure from repudiation.Because your trading partner was able to validate the message's digital signature using your public key, you could no longer deny having sent the message.
If you want to know more about how digital signatures work, I suggest you read the post:
Why you should choose AS2 SHA2 digital signatures
As discussed in the blog post Why It's Now Imperative To Use SHA2 Certificates, it's no longer safe to use digital signatures that employ the SHA1 hashing algorithm. Instead, you should start signing documents using any of the SHA2 variants: 224, 256, 238, and 512. Make sure your AS2 server supports them.
AS2 digital signatures on JSCAPE MFT Server
In our next post, we'll show you exactly how to enable the use of digital signatures on an actual AS2 server. We'll be using JSCAPE MFT Server for that tutorial, so if you want to follow the steps we'll be outlining there, I suggest you read the blog post:
The Quickstart Guide To Setting Up An AS2 Server
JSCAPE MFT Server comes with a free, fully-functional evaluation edition. You can download a copy now