ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

How should I send business critical data?

Updated on May 31, 2014

Secure and Verifiable Transport

You need to ensure that your data gets where is needs to go. You would also not want people to view the content of that data. There are several potential ways to send data, SFTP, FTPS, FTP, AS2, and AS3. Of these options, AS2 allows you to ensure that these needs are met and is available in free (for 1 connection) or inexpensive options.

AS2 is a protocol which uses the same process that all web pages use. On top of that, the protocol encrypts the data. This make sure that the data cannot be viewed by others. The protocol also signs the data. so you know that it came from the person you think it did. The protocol further requires an MDN as proof that the file was successfully received and accepted by the other party.


Importance of Encryption

It is a reality that there are those out on the internet who want nothing more than to intercept and steal your data. In years past, you could send emails encrypted by Pretty Good Privacy (PGP or the GNU version GPG). You could also send a file once run through that encryption. This usually meant that you needed a second step to encrypt the data, once you had gone through the process of setting up your key.

This relied on 2 keys, a public and a private version. You would need the key of the party to whom you were sending the file. This would be a copy of their public key. You would use that key to encrypt the file. Once they got the file, they would then use their private key to decrypt the file.

During those transports (usually FTP) from the sending location to the destination location, the file could be intercepted and copied, but with out the ability to decrypt the file, it would have no use. Some files could be decrypted but the amount of effort required is not usually worth it will all that unencrypted traffic ripe for the picking.

AS2 uses the concept of certificates to replace the key concept. The program takes care of the encryption as part of the transfer, as long as you have it set to do so.

Remember that this sends data the same way that the web does. This means that, like a web page, you can also use the HTTPS protocol to encrypt your data during transfer.

Importance of Signing

So you got this encrypted data but how do you know it came from the right place? After all, anyone who can access your public key could have encrypted that file. In the PGP days, there were public key rings onto which you would put your key. Anyone could get your key off that ring and encrypt a file.

So a process called signing was created. Remember that in the last section I mentioned public and private keys. You kept your private key and did not share it. You needed a password in addition to the key to decrypt a file. This is the key you use to sign your file.

The same applies to AS2 certificates. You will sign the file so that your recipient knows it came from you. You can sign and then encrypt or encrypt then sign. If you sign first, then you must decrypt the file before you can verify where it came from. If you encrypt first, then the sender's identity can be verified first, but the signature block is sent in the "clear".

You can also use the HTTPS protocol here to encrypt the entire content. This would then protect through encryption the signature block during transport and allow you to verify the identity prior to your attempt to decrypt he content.

As with the encryption, the AS2 programs handle the signing as part of the transport saving you that step, as long as you have it configured to sign.

Verification of Receipt

One of the things lacking in most file transfer protocols is the concept of the file receipt. You sent the file but got no acknowledgement, at least as part of the transfer process, that the file got to its destination without issue.

Enter the MDN or Message Disposition Notification. This is an acknowledgement file. This will verify receipt, that the system recognized he sender, and that the file could be decrypted. If there were issues, then it also will list those errors.

In this way, you have proof that the file got there. There are 2 possible ways to get that. The first and best way is from a Synchronous transfer. The second is via an Asynchronous transfer.

Synchronous means that you open the connection to your partner and leave that open for a period of time to allow your partner to return the MDN on that connection. This gives you immediate feedback on each and every files sent.

Asynchronous means that you open the connection, send the file, monitoring the bits transferred, and then close the connection before the MDN. Your recipient would then open a connection into your system to send you the MDN. This means you have to wait on them to let you know they got the file, which could be quickly or slowly depending on how they are configured.

An Under the Covers View

There are a couple of additional items of note in this system. Some servers require you to log in to them before you can send data. All servers have a concept of ID pairs.

Remember again that this is the same way you would interact with a web page. Just like a web page, you would look for some indication that the sending of your credentials was protected through encryption. If you were wondering about why you would send encrypted data over HTTPS, here is a reason, to protect those log in credentials. You are creating a single connection to send the data, so you begin with an HTTPS session, log in to the server, and then send your data.

At this point you may wonder why you wouldn't just use HTTPS to send the data. I would refer you to the articles on web certificate theft (see the additional resources section) as a reason why that is not the most secure way to send your data every time.

In addition to the certificates for identification, AS2 has the concept of ID pairs. There is a sender ID (yours) and a receiver ID. On the receiving system, these would also exist (although reversed, naturally). Once the file is successfully transferred, the system has to know where to put the file. This ID pairing refers to the equivalent of a mailbox on the system. Using the IDs sent along with the file, the proper mailbox can be found. If the proper mailbox cannot be found, that information is reflected in the MDN and returned in that document.

Summary

There will always be someone out there who wants your data. And, while there may be a way to get it, there is no reason to make it easy for them. Using AS2, you get:

  • Encryption of your data to protect its content
  • Signing of the data to verify the sender
  • A report that the file was successfully received and that the system recognized the sender
  • The ability to require someone to log in, further verifying their identity

Keep your data safe and secure. Look into AS2.

Additional Resources

The Drummond group is one of the certification groups for AS2, you can see about the tests and products at their site.

2011 was the year of the SSL (used for HTTPS) certificate thefts. ComputerWorld has an article detailing the companies impacted.

This ComputerWorld article, unfortunately, shows that we may not always know when these thefts occur.

Also, please make sure that you pick reasonable expiration dates for your certificates. It can be very easy to try to set and forget but remember that the longer you encrypt with the same certificate, the more information you provide to those trying to decrypt your data. Don't allow long expirations of certificates with high volume transfers to make your own data into a Rosetta stone for those trying to get your data.

Comments

    0 of 8192 characters used
    Post Comment

    No comments yet.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)