Non-repudiation is proving who uploaded and downloaded a file, and whether or not the received file is identical to the one sent. Verifying that a file has been sent and received without being modified by a man-in-the-middle attack is critical for many different business processes, such as in healthcare, finance, or logistics.
What is Non-Repudiation in File Transfers Built On?
There are a few building blocks that help define a secure end-to-end file transfer process. Broadly speaking, these building blocks are:
- Verification of Senders and Receivers
- Data File Encryption
- Secure Transport
- File Receipt Verification and Validation
Verification of Senders and Receivers
This authentication piece is primarily built around the idea of certificates and signatures. Before uploading a file to send, the certificate is examined to verify that the endpoint is indeed the correct location. Conversely, when the recipient is downloading the file, the digital signature of the sending party is checked to verify that they are who they say they are. This process works like so:
- The sender encrypts the file using their private key and digital signature which is signed by a trusted certificate authority (CA) and attached to the file.
- The recipient decrypts the digital signature on the file using the public key that is held by the CA.
With this time-tested process, the sender and file can be validated as correct. To authenticate the sender and recipient, a system may implement a login system that ideally incorporates multi-factor authentication best practices.
Data File Encryption
Files are typically encrypted using one of several different protocols. These protocols should be FIPS-validated encryption protocols such as 3DES or AES. These are purely data encryption protocols and although 3DES is included, it is an older protocol. The current gold-standard is to use AES-256. Unfortunately, certain file transfer solutions such as the AS2 and AS3 systems are limited to 3DES.
Securely transporting data is typically done over a TLS encrypted link and not SSL. This link will be validated by server-level certificates and utilize TLS 1.2 or the newer TLS 1.3 protocol.
File Receipt Verification and Validation
Just because a file is encrypted, and we have digital signatures for the sender and receiver, does not necessarily mean the file was not tampered with in transport. To verify that the file is correct, the best practice is to use a mechanism known as an HMAC (Keyed-Hashing for Message Authentication). There are several HMAC algorithms, such as HMAC-MD5, HMAC-SHA1, or HMAC-SHA256. This hashing algorithm employs both a hash of the file and a shared secret key. This allows the exchanging parties the ability to establish the authenticity of the message.
Common Systems for Managed File Transfers
Taking all of the building blocks together, what are the available solutions and common protocols for secure and managed file transfers? There are a few protocols and systems that help to facilitate this process. The three most commonly used protocols and technologies are:
- AS1-4 Family
- HTTPS (TLS 1.2+), AES-256, HMAC-SHA256, SFTP, and Multi-Factor Authentication
One of the best-known EDI protocols is the AS1-4 family of protocols. AS2 is one of the most commonly deployed versions of this protocol, but AS3 has added security by building on the FTP/SSL protocol which adds authentication into the mix. AS4 has further enhanced interoperability with modern network infrastructures by being built on SOAP and Web Services.
The original Odette File Transfer Protocol was developed in the mid-’80s to assist in EDI data exchanges. In 2007 the updated version, OFTP2, was introduced with enhanced security and compression features over its predecessor.
HTTPS (TLS 1.2+), AES-256, HMAC-SHA256, SFTP, Multi-Factor Authentication
Though the above combination of technologies is a bit of a handful to say, many modern managed file transfer solutions are built on the above set of technologies. Systems that utilize TLS for secure transport, AES-256 for data encryption, HMAC-SHA246 for data integrity, SFTP as a secure endpoint, and multi-factor authentication to verify senders and receivers, ensures that transferred data is accurate according to non-repudiation standards.
In today’s world, validating that a received file is tamper-free and from a trusted sender is more important than ever. Utilizing non-repudiation techniques in file transfers helps to secure data transfers that are core to many business processes. Using known secure techniques and products serves to provide the peace of mind that is needed when transferring sensitive data.