| AUTACK |  |
|
| Secure authentication and acknowledgement message | ||
| Contents | Messages | Segments | Composites | Data elements | Codes |
|
|||||||||||||||
|
|||||||
| Date: 98-12-01 Source: Syntax Development Group (SDG) 0. INTRODUCTION This is a new part, which has been added to ISO 9735. It provides an optional capability of securing a batch EDIFACT structures i.e. messages, packages, groups or interchanges, by means of a secure authentication and acknowledgement message. 1. SCOPE This part of ISO 9735 for EDIFACT security defines the secure authentication and acknowledgement message AUTACK. 1.1 Functional definition AUTACK is a message authenticating sent, or providing secure acknowledgement of received interchanges, groups, messages or packages. A secure authentication and acknowledgement message can be used to: a) give secure authentication, integrity or non-repudiation of origin to messages, packages, groups or interchanges. b) give secure acknowledgement or non-repudiation of receipt to secured messages, packages, groups or interchanges. 1.2 Field of application The secure authentication and acknowledgement message (AUTACK) may be used for both national and international trade. It is based on universal practice related to administration, commerce and transport, and is not dependent on the type of business or industry. 1.3 Principles The applied security procedures shall be agreed to by trading partners and specified in an interchange agreement. The secure authentication and acknowledgement message (AUTACK) applies security services to other EDIFACT structures (messages, packages, groups or interchanges) and provides secure acknowledgement to secured EDIFACT structures. It can be applied to combinations of EDIFACT structures that need to be secured between two parties. The security services are provided by cryptographic mechanisms applied to the content of the original EDIFACT structures. The results of these mechanisms form the body of the AUTACK message, supplemented by relevant data such as references of the cryptographic methods used, the reference numbers for the EDIFACT structures and the date and time of the original structures. The AUTACK message shall use the standard security header and trailer groups. The AUTACK message can apply to one or more messages, packages or groups from one or more interchanges, or to one or more interchanges. 1.3.1 Use of AUTACK for the authentication function An AUTACK message used as an authentication message shall be sent by the originator of one or more other EDIFACT structures, or by a party having authority to act on behalf of the originator. Its purpose is to facilitate the security services defined in Part 5 of ISO 9735, i.e. authenticity, integrity, and non-repudiation of origin of its associated EDIFACT structures. An AUTACK authentication message can be implemented in two ways. The first method conveys the hashed values of the referenced EDIFACT structures secured by the AUTACK itself; the second uses the AUTACK only to convey digital signatures of the referenced EDIFACT structures. 1.3.1.1 Authentication using hash values of the referenced EDIFACT structures The secured EDIFACT structure shall be referenced in an occurrence of the USX (security references) segment. For each USX there shall be at least one corresponding USY (security on references) segment which contains the security result, for example the hash value, of the security function performed on the referenced EDIFACT structure. Details about the security function performed shall be contained in the AUTACK security header group. The USY and USH segments for the referenced EDIFACT structure shall be linked using security reference number data elements in both segments. As a final step, all the information conveyed in the AUTACK shall be secured using at least one pair of security header and security trailer groups. Note: AUTACK uses the USX segment to reference one or more messages, packages or groups in one or more interchanges, or to reference an entire interchange. For each USX segment a corresponding USY segment contains the result of the hashing, authentication or non-repudiation method applied to the referenced EDIFACT structure. 1.3.1.2 Authentication using digital signatures of the referenced EDIFACT structures The secured EDIFACT structure shall be referenced in an occurrence of the USX (security references) segment. For each USX at least one corresponding USY (security on references) segment, which contains the digital signature of the referenced EDIFACT structure, shall be present. Details about the security function performed shall be contained in the AUTACK security header group. Because a single referenced EDIFACT structure may be secured more than once, the related USY and security header group shall be linked using security reference number data elements in both segments. If the digital signature of the referenced EDIFACT structure is contained in AUTACK (rather than just a hash value), the AUTACK does not itself require to be secured. 1.3.2 The use of AUTACK for the acknowledgement function An AUTACK message used as an acknowledgement message shall be sent by the recipient of one or more previously received secured EDIFACT structures, or by a party having authority to act on behalf of the recipient. Its purpose is to facilitate confirmation of receipt, validation of integrity of content, validation of completeness and/or non-repudiation of receipt of its associated EDIFACT structures. The acknowledgement function shall be applied only to secured EDIFACT structures. The secured EDIFACT structure shall be referenced in an occurrence of the USX (security references) segment. For each USX there shall be at least one corresponding USY (security on references) segment which contains either the hash value or the digital signature of the referenced EDIFACT structure. The USY shall be linked to a security header group of the referenced EDIFACT structure, or of an AUTACK message securing it, by using security reference number data element. The corresponding security header related to the referenced EDIFACT structure contains the details of the security function performed on the referenced EDIFACT structure by the sender of the original message. As a final step in generation of the acknowledgement message, all the information conveyed in the AUTACK shall be secured using at least one pair of security header and security trailer groups. AUTACK may also be used for non-acknowledgement in case of problems with the verification of the security results. Note : Secure acknowledgement is only meaningful for secured EDIFACT structures. Securing EDIFACT structures is accomplished by the use of either integrated security segments (see Part 5 of ISO 9735) or AUTACK authentication. To prevent endless loops, an AUTACK used for the acknowledgement function shall not require its recipient to send back an AUTACK acknowledgement message. 2. REFERENCES See UNTDID, Part 4, Chapter 2.6 UN/ECE UNSM - General Introduction, Section 1. 3. TERMS AND DEFINITIONS 3.1 Standard terms and definitions See UNTDID, Part 4, Chapter 2.6 UN/ECE UNSM - General Introduction, Section 2. 4. MESSAGE DEFINITION 4.1 Data Segment Clarification This section should be read in conjunction with the Branching Diagram and Segment Table which indicate mandatory, conditional and repeating requirements. 4.2 Data segment index (Alphabetical sequence) 4.3 Message structure 4.3.1 Segment table |
 |
|