Supplementary Readings
Security Problems and Solutions for Internet-based EDI
1.Introduction
EDIis defined by International Organization for Standardization as computer to computer exchange of business data or administration information through the network in a standard format.EDI has been applied broadly in logistics industry in these years.Its an important technology of logistics data interchange between shipper,carrier,traffic and transportation corporation and other related corporations.Its an important base technology which can actualize logistics task,too.
Traditional EDI was established on the Value-added Network(VAN),VAN-based EDI system was structured by users through the net who use one EDI centre,but are in many various regions,which differ type computers and differ type files.
The VAN-based EDI system has been worked for many years.The system service is safe correspondingly.Partners manage to deal it by affirming arbitration technique.The VAN-based EDI system has been applied broadly between international trades,applied to customs,traffic and transportation,inviting public bidding,public utility etc.But the cost of the translating software and private network are so high that generally only big enterprises and their suppliers can afford EDI,many middle and small enterprises can't afford.Even the big enterprises couldn't save cost,because many of their partners don't use EDI.So costs become the factor restricting the broad application of VAN-based EDI.
Internet-based EDI system is integrated by Internet and EDI.With the rapid development and popularization of Internet,EDI can provide a low-cost,rapid-speed,wide-overcast,well-service working flat.Many middle and small enterprises can afford.So the Internet-based EDI system becamethe new era of EDI,Logistics Internet-based EDI system met the need of logistics information. EDI will bring more and more effect.Internet-based EDI provides in time,exacts information,which can be in favor of harmonizing production and sale,transportation and storage,optimizing supply program,shortening delivery period and reducing stock time.All these will reduce the cost of logistics and improve service level.
Because of the open character of Internet,the security of Internet-based EDI becomes very important.
2.The Security of Internet-based EDI
The attack and threaten of Internet-based EDI confronted with are as following:
(1)Imitation
Its some entities(people or system)make other entities believe who are legal users,inorder to obtain legal user sprivilege.
(2)Information modifying
It's a part of a legal information be changed or deleted.It willproducenon-authorization,such as modifying data in the file,changing“permitting A to execute”into“permitting B to execute”.
(3)Information reworking
It's a copy that attacks the legal data intercepted and captured for non-legal intention,so it will produce non-authorization.
(4)Disavow or deny
Contract or order of EDI may be denied or repudiated at the course of drafting,submitting,mailing.Especially in the open internet,contract or order of EDI often uses the auto-transmission mode or redirection mode.
(5)Information losting
There are three types of message losing:one is error;the other one is improper secrecymeasure;the third one is transferring message between the dissimilar liability regions.
(6)Denial of service(DoS)
DoS will result in the normal using and management which will be denied unconditionally.For example,using mass hash information can exhaust the resource(communication bandwidth or memory of host computer),result in reducing capability and halting service.This attack could have a special target to stop all data packages which for special destination.
(7)Information filching
Wire tapping monitor is a common means,and leading to net nobody guard to monitor.The other means is using wireless capture information which uses no wire tapping monitor.Using high sensitive equipment can incept electromagnetic wave and then recover the signal data.It can obtain valuable information by this means.
So the needed security services are as follows:
(1)Confidentiality
Confidentiality is not betraying information to non-authorization user,entity,process and unlawfulusing.It needs a means to encrypt data,because the system can't affirm if there are not any non-authorization user wire tapping data on the net.
The encryption data couldn't be captured by the third party unlawfully when it is transferring,using and transmitting.
Besides using variety encryption techniques,we can use accessing control methods to protect data.According to different data types and application demand,system administrator classifies data and user,configures corresponding access mode.
(2)Integrity
Integrity is the characteristic that non-authorization data can't change,that's to say,the informationcan't be unlawful modified,destroyed and lost during the storage and transmission,but it can be distinguished if information have been changed.Aim to ensure the data in the information system is integrity and not be changed or lost by intentionally or unintentionally.
(3)Availability
Availability is the characteristic that information can be accessed by authorized entity and be used according to demand.Authorized persons always keep or get information which required.Attacker can't engross all resources to encumber authorized persons to use.Denial of service and destroying network and normal system under network environment belong to availability attack.We can use distinguish techniques to actualize the availability according to demand,that is to say,everyentity is the entity who can allege.
(4)Controllability
Controllability is the ability to control the authorized information in a flow way,behavior mode,spread mode and contain.The first means is accessing control list,which can control who and how access the system;the second means is to validate the net user,who can use handshake protocol and distinguish identity;the last is to log all users activity to query and audit for later.
(5)Non-repudiation
Non-repudiation is that information behavior should be responsible for his action,shouldn't disavow the action which have been done or have been received.It's very important in EDIsystem.Weusuallyuse digital signature and notarization mechanism to ensure non-repudiation.Digital signature is the functionality simulation of hand signature.In fact,it's a function that input themessagewhich need protection and secret key.Output a value,it's validity that can be checked by another secret key.
3.The Solutions
According to the security problems of Internet-pased EDI system,corresponding solutions givenas follows.
(1)Data Encryption
Data encryption is one of the main methods to protect Internet-based EDI system.At present the usual data encryption is:symmetrical key cipher system(single key or private key)and unsymmetricalkey cipher system(double key or public key).It was classified by key number.
The symmetrical key cipher system can be classified into two sorts:stream cipher and block cipher,the stream cipher encrypts plaintext bit by bit,and the block cipher encrypts plaintext by block plaintext.
Block cipher Data Encryption Standard(DES)algorithm is the most common algorithm in EDI system.DES is an algorithm encrypt of two metadata.Data group length is 64 bits.No dataexpand,key length is 64 bits.Thereupon 8 bits is odd and even checkout,the valid length is 56 bits.The system of DES is open,so the security depends on key secret.
There are some other block cipher algorithms:Lucifer algorithm,Madryga algorithm,New DES algorithm,RC2 algorithm,RC4 algorithm,RC5 algorithm,IDEA algorithm,etc.
The most characteristic of unsymmetrical key cipher system use two keys:encrypting key and decrypting key,and they are different.Encrypting key is public,but decrypting key is secret.Both sides of communicators needn't exchange key before process.Analyzing plaintext and key from public key and cipher text is impossible.If encrypting is with public key,decrypt is with user private key,message encrypted by multi-user can be read by single-user.This means can be used for secret communication.Contrarily,if encrypt is with users private key and decrypt is with public key,message encrypted by single-user.can be read by multi-user.This method can be used for digital signature.
A sort of public-key cryptosystem was called RSA;it is constructed by number theory anddesignedby Rivest,Shamir and Adleman.It can be used for encryption and digital signature,easilyto understand and easy to implement.It's still safe and applied broadly.Some international standard organization(ISO,ITU and SWIFT)accept it as standard.The PGP(Pretty Good Privacy)of Internet adopts it as standard algorithm transmitting communion key and digital signature.The security of RSA algorithm is based on the difficulty of disaggregating big integer.
There are some other unsymmetrical key cipher systems,such as ECC(elliptic curvecry ptography)and ElGamal.
(2)Message authentication
Message authentication technique is a common way to keep information forgery away from tamper.Authentication is used for ensuring the facticity of communication,making sure incepted data just come from someone who claims,including equity entity and data fountain.Data fountain authentication works with connectionless serving,but equity entity authentication works with connection serving.On one side,we can ensure both entities are believable.On the other side,we can ensure the connection not be disturbed by the third party.
Authentication function is the main factor deciding system character in the message authentication system.
(3)Digital signature
Digital signature is the simulation of handwriting signature in our life.The basic character of signature is to prove the author and the time of signature.Its content must be distinguished when somebody subscribe message.At the same time,the signature must have law efficacy,which can be used to solve the discord issue by the third party.
Digital signature technique must include authentication function.It can be classified into two sorts in term of technique character,the direct digital signature and the mediation-based digital signature.
(4)Identity authentication
Identity authentication is authenticating users identity,to identify the user is lawful or lawless to prevent the lawless user to access the EDI system.Some of these certificate objects could be used as password,identifier,keepsake,fingerprint,retina,etc.
(5)Access control
Access control is used for ensuring controllable EDI system and preventing non-authorization user to access system resources.It can be used to control origin or destination of communication or a certain point on the communicate chain.Commonly it used at the application layer or at the transport layer for protecting subnet.
Fire wall is an access control technique to restrict reciprocation data selection.IP tunneling and VPN are also access control techniques.They can plight those inside users who communicate in EDI and interchange messages among them and express sensitivity extent through message structureor format to implement access control by a certain protocol conversion and compatible mechanism.
(6)Security protocol
Protocol is two or more participators accomplishing some special assignment by adopting a sort of progress.Security protocol is for accomplishing security assignment(for encryption,authentication,key distribution etc.).Security protocol applies in Internet-based EDI:IPSec(Internet Protocol Security),PGP(Pretty Good Private),S/MIME(Secure/Multipurpose Internet Mail Extension),SSL(Secure Sockets Layer),SET(Secure Electronic Transaction),Kerberos and X.509.
4.Conclusions
Security is a very important factor on Internet-based EDI system,especially on the open characteristic Internet.In this text the security strategies we have brought forward can ensure the data security problem:confidentiality,integrity,availability,identity authentication,non-repudiation,etc.,we can also ensure the security of Internet-based EDI system,and build a safety environment for both trade sides,so it can promote healthy and speedy logistics information development.