Encryption and signing summary

Described in the simplest terms, Interchange exchanges encrypted and signed documents in S/MIME format.

Outbound documents

The document contains the data that needs to be protected. The encryption and signing processes take place for every document that Interchange sends over the Internet.

Interchange encrypts and signs each document by building three parts: the encrypted document, the encrypted session key and the digital signature. The following is the process for an outbound document:

  1. A hashing routine (MD5 or SHA-1) creates a digital digest of the document. This digest is a number. If the data in the transaction are changed, added to or subtracted from, reapplying the hashing routine produces an entirely different digest. This characteristic of hashing routines makes it easy for a partner to verify the integrity of an inbound document.
  2. The digital digest is encrypted using your private key. This encrypted digest is the digital signature for this document. It ensures that the data in the document were not changed and that the document came from you and only you.
  3. Interchange generates a one-time session key. This is the symmetric key part of Interchange's hybrid encryption method.
  4. The session key is used to encrypt the document.
  5. Your partner's public key is provided in the certificate inside the profile your partner gave you. It is used to encrypt the session key for transmission. Thus, the key to decrypting the document has itself been encrypted by your partner's public key and can be decrypted only by your partner's private key.
  6. The document is then sent using whatever transport method you choose for this partner.

Inbound documents

When a document is received by your trading partner, the process is reversed according to the following steps:

  1. Upon receiving the document, Interchange begins security processing.
  2. Your partner uses the private key (the matching half to the asymmetric public key you used to encrypt it) to decrypt your symmetric key.
  3. The one-time key that was just decrypted is used, in turn, to decrypt the document. Your partner now has your message in clear text.
  4. With the public half of your public-private key pair that you sent your trading partner in your certificate (inside your community), your trading partner decrypts the digital signature.
  5. Your partner uses the same hashing routine (MD5 or SHA-1) to create a digital digest of the document. This is called rehashing. Your trading partner then compares this to the digest in the digital signature you sent. If the two are identical, your partner has proof that the contents of the document were not altered and that it came from you and only you.
  6. The document is now ready to be read into and used by your partner's business application.

Any documents that cannot be successfully processed are failed.

Related topics

Related Links