When you exchange EDI documents via the Internet, the security of your data is of vital importance. It is critical that only the intended recipient can read the sensitive data being transmitted, such as purchase orders, invoices, or remittance advices. While encryption technologies have long been used to achieve the level of security needed for this sensitive data, their usage can be hampered by the difficulty of exchanging the “keys” upon which they depend. Digital certificates resolve the key exchange and management issues.
There are two basic kinds of cryptography.
The first is called “symmetric key encryption,” which involves the use of an encryption/decryption key, often called a “shared secret.” The key can be a code of any length, for example, 768 bytes or more. The longer and more random the key is, the greater the security achieved. To use this approach for B2B, that long key would need to be exchanged with all companies with which a business would be exchanging documents.
There are several issues with the symmetric key approach. First, how do you exchange the key in a secure fashion? Just as you shouldn’t exchange passwords or credit card numbers via email, email is not a good vehicle for the shared secret – it’s not secure! Also, if you exchange documents with multiple partners, you probably want each partner to have a different key. That way, if one partner inadvertently gets documents intended for another partner, he cannot decrypt it because his key works only on documents intended for him. Managing all these keys can become a logistics nightmare.
A better approach is to use “asymmetric encryption,” which uses a set of two keys – a “public key” that is used to encrypt and a “private key” that is used to decrypt – combined with a “digital certificate,” which makes the key exchange and management process very easy.
- The public key is called “public” because everyone who sends you documents can use the same key. There are no security worries about the public key falling into unauthorized hands, since this key cannot be used to decrypt or read your messages. It can only be used to encrypt messages being sent to you.
- You have a second key, called a “private” key, which is not shared with anyone else. This key is accessed by your communications software and is used to decrypt documents sent to you by partners that have encrypted documents using your public key.
- The digital certificate is actually an electronic “container” for the public key and other important information such as organization name, email address, and server identification. The certificate is formatted in a standard way, thus enabling software to immediately read the certificate and “know” where to find the specific pieces of data needed. The certificate can be exchanged via email because the information in it is all public, so there’s no security concern. In addition, the digital certificate enables you to keep track of which public key belongs to which company – this is extremely helpful when you need to manage hundreds or even thousands of keys for all the business partners to whom you are sending documents, each with its own public key.
You can obtain a digital certificate for your company from an authorized certificate authority – such as VeriSign or Thawte – that acts as a trusted third party who vouches for the validity of the keys. Or, you can use special software to create your own digital certificate.
In the B2B world, the asymmetric encryption approach combined with the digital certificate is the better approach. The public and private keys help ensure that (1) the data is encrypted during transmission over the Internet and (2) only the intended recipient is capable of decrypting the data. The digital certificate makes the process easy and manageable.
To learn more about the best options for B2B Communications, watch this webinar: How to Determine the Best Communications Protocol for B2B Integration.