ISO-9735-6-2002.pdf

Reference number ISO 9735-6:2002(E) © ISO 2002 INTERNATIONAL STANDARD ISO 9735-6 Second edition 2002-07-01 Electronic data interchange for administration, commerce and transport (EDIFACT) Application level syntax rules (Syntax version number: 4, Syntax release number: 1) Part 6: Secure authentication and acknowledgement message (message type AUTACK) Échange de données informatisé pour l'administration, le commerce et le transport (EDIFACT) Règles de syntaxe au niveau de l'application (numéro de version de syntaxe: 4, numéro d'édition de syntaxe: 1) Partie 6: Message sécurisé pour l'authentification et accusé de réception (type de message AUTACK) Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 9735-6:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. © ISO 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Printed in Switzerland ii © ISO 2002 All rights reserved Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 9735-6:2002(E) © ISO 2002 All rights reserved iii Contents Page Foreword.iv Introductionvi 1 Scope1 2 Conformance1 3 Normative references2 4 Terms and definitions .2 5 Rules for the use of the secure authentication and acknowledgement message2 Annex A (informative) AUTACK message examples.9 Annex B (informative) Security services and algorithms .22 Bibliography28 Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 9735-6:2002(E) iv © ISO 2002 All rights reserved Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this part of ISO 9735 may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 9735-6 was prepared by Technical Committee ISO/TC 154, Processes, data elements and documents in commerce, industry and administration in collaboration with UN/CEFACT through the Joint Syntax Working Group (JSWG). This second edition cancels and replaces the first edition (ISO 9735-6:1999). However ISO 9735:1988 and its Amendment 1:1992 are provisionally retained for the reasons given in clause 2. Furthermore, for maintenance reasons the Syntax service directories have been removed from this and all other parts of the ISO 9735 series. They are now consolidated in a new part, ISO 9735-10. At the time of publication of ISO 9735-1:1998, ISO 9735-10 had been allocated as a part for “Security rules for interactive EDI”. This was subsequently withdrawn because of lack of user support, and as a result, all relevant references to the title “Security rules for interactive EDI” were removed in this second edition of ISO 9735-6. Definitions from all parts of the ISO 9735 series have been consolidated and included in ISO 9735-1. ISO 9735 consists of the following parts, under the general title Electronic data interchange for administration, commerce and transport (EDIFACT) Application level syntax rules (Syntax version number: 4, Syntax release number: 1): Part 1: Syntax rules common to all parts Part 2: Syntax rules specific to batch EDI Part 3: Syntax rules specific to interactive EDI Part 4: Syntax and service report message for batch EDI (message type CONTRL) Part 5: Security rules for batch EDI (authenticity, integrity and non-repudiation of origin) Part 6: Secure authentication and acknowledgement message (message type AUTACK) Part 7: Security rules for batch EDI (confidentiality) Part 8: Associated data in EDI Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 9735-6:2002(E) © ISO 2002 All rights reserved v Part 9: Security key and certificate management message (message type KEYMAN) Part 10: Syntax service directories Further parts may be added in the future. Annexes A to C of this part of ISO 9735 are for information only. Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 9735-6:2002(E) vi © ISO 2002 All rights reserved Introduction This part of ISO 9735 includes the rules at the application level for the structuring of data in the interchange of electronic messages in an open environment, based on the requirements of either batch or interactive processing. These rules have been agreed by the United Nations Economic Commission for Europe (UN/ECE) as syntax rules for Electronic Data Interchange for Administration, Commerce and Transport (EDIFACT) and are part of the United Nations Trade Data Interchange Directory (UNTDID) which also includes both batch and interactive Message Design Guidelines. Communications specifications and protocols are outside the scope of this part of ISO 9735. This is a new part, which has been added to ISO 9735. It provides an optional capability of securing batch EDIFACT structures, i.e. messages, packages, groups or interchanges, by means of a secure authentication and acknowledgement message. Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- INTERNATIONAL STANDARD ISO 9735-6:2002(E) © ISO 2002 All rights reserved 1 Electronic data interchange for administration, commerce and transport (EDIFACT) Application level syntax rules (Syntax version number: 4, Syntax release number: 1) Part 6: Secure authentication and acknowledgement message (message type AUTACK) 1 Scope This part of ISO 9735 for EDIFACT security defines the secure authentication and acknowledgement message AUTACK. 2 Conformance Whereas this part shall use a version number of “4” in the mandatory data element 0002 (Syntax version number), and shall use a release number of “01” in the conditional data element 0076 (Syntax release number), each of which appear in the segment UNB (Interchange header), interchanges continuing to use the syntax defined in the earlier published versions shall use the following Syntax version numbers, in order to differentiate them from each other and from this part: ISO 9735:1988 Syntax version number: 1 ISO 9735:1988 (amended and reprinted in 1990) Syntax version number: 2 ISO 9735:1988 and its Amendment 1:1992 Syntax version number: 3 ISO 9735:1998 Syntax version number: 4 Conformance to a standard means that all of its requirements, including all options, are supported. If all options are not supported, any claim of conformance shall include a statement which identifies those options to which conformance is claimed. Data that is interchanged is in conformance if the structure and representation of the data conform to the syntax rules specified in this part of ISO 9735. Devices supporting this part of ISO 9735 are in conformance when they are capable of creating and/or interpreting the data structured and represented in conformance with this part of ISO 9735. Conformance to this part of ISO 9735 shall include conformance to parts 1, 2, 5 and 10 of ISO 9735. When identified in this part of ISO 9735, provisions defined in related standards shall form part of the conformance criteria. Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 9735-6:2002(E) 2 © ISO 2002 All rights reserved 3 Normative references The following normative documents contain provisions which, through reference in this text, constitute provisions of this part of ISO 9735. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply. However, parties to agreements based on this part of ISO 9735 are encouraged to investigate the possibility of applying the most recent editions of the normative documents indicated below. For undated references, the latest edition of the normative document referred to applies. Members of ISO and IEC maintain registers of currently valid International Standards. ISO 9735-1:2002, Electronic data interchange for administration, commerce and transport (EDIFACT) Application level syntax rules (Syntax version number: 4, Syntax release number: 1) Part 1: Syntax rules common to all parts ISO 9735-2:2002, Electronic data interchange for administration, commerce and transport (EDIFACT) Application level syntax rules (Syntax version number: 4, Syntax release number: 1) Part 2: Syntax rules specific to batch EDI ISO 9735-5:2002, Electronic data interchange for administration, commerce and transport (EDIFACT) Application level syntax rules (Syntax version number: 4, Syntax release number: 1) Part 5: Security rules for batch EDI (authenticity, integrity and non-repudiation of origin) ISO 9735-10:2002, Electronic data interchange for administration, commerce and transport (EDIFACT) Application level syntax rules (Syntax version number: 4, Syntax release number: 1) Part 10: Syntax service directories 4 Terms and definitions For the purposes of this part of ISO 9735, the terms and definitions given in ISO 9735-1 apply. 5 Rules for the use of the secure authentication and acknowledgement message 5.1 Functional definition AUTACK is a message authenticating sent, or providing secure acknowledgement of received interchanges, groups, messages or packages. A secure authentication and acknowledgement message can be used to: a) give secure authentication, integrity or non-repudiation of origin to messages, packages, groups or interchanges; b) give secure acknowledgement or non-repudiation of receipt to secured messages, packages, groups or interchanges. 5.2 Field of application The secure authentication and acknowledgement message (AUTACK) may be used for both national and international trade. It is based on universal practice related to administration, commerce and transport, and is not dependent on the type of business or industry. 5.3 Principles 5.3.1 General The applied security procedures shall be agreed to by trading partners and specified in an interchange agreement. Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=Qatar Petroleum/5943408001 Not for Resale, 04/12/2007 03:04:47 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 9735-6:2002(E) © ISO 2002 All rights reserved 3 The secure authentication and acknowledgement message (AUTACK) applies security services to other EDIFACT structures (messages, packages, groups or interchanges) and provides secure acknowledgement to secured EDIFACT structures. It can be applied to combinations of EDIFACT structures that need to be secured between two parties. The security services are provided by cryptographic mechanisms applied to the content of the original EDIFACT structures. The results of these mechanisms form the body of the AUTACK message, supplemented by relevant data such as references of the cryptographic methods used, the reference numbers for the EDIFACT structures and the date and time of the original structures. The AUTACK message shall use the standard security header and trailer groups. The AUTACK message can apply to one or more messages, packages or groups from one or more interchanges, or to one or more interchanges. As one example, Figure 1 describes an interchange when using the AUTACK message together with one or more messages. Figure 1 Interchange showing security by using the AUTACK message at message level (sche