Content Integrity

a guarantee that the receiving trading partner gets the message or transaction in its originally sent state

assures that no modifications -- additions, deletions, or changes -- have been made to the message/transaction when it is in transit between trading partners

Methodology to Achieve Content Integrity

the sender includes, with the message or transaction an integrity control value

the value is computed using an appropriate cryptographic algorithm to "fingerprint" the message

the cryptographic algorithm is called a one way hash function or message integrity check

One Way Hash Functions

unlike encryption algorithms can not be reversed or decrypted

constructed so the probability is infinitely small that some arbitrary length piece of plain-text can be hashed to the same value

has values are usually from 112 to 160 bits long

the longer the hash value, the more secure

Use of One Way Hash Function - Sender

no key required, but trading partners agree on algorithm to use

sender calculates a one-way hash value of the message/transaction and the MIME content headers, "fingerprinting" the transaction

sender sends the hash value along with the transaction

Use of One Way Hash Function - Receiver

receiving trading partner uses the same one way hash function to calculate the hash value for the message/transaction and MIME content headers

if the received hash value matches the calculated has value, then the receiving trading partner knows that the message has not been tampered with

Needs

choice of a one-way hash algorithm to calculate the hash value required to ensure content integrity

Issues Related to Content Integrity Across the Internet

the one way hash function should be:

secure

publicly available

produce hash values of at least 128 bits

Recommendations

Secure Hash Algorithm (SHA-1), a one way hash function invented by the National Security Agency, produces a 160 bit hash value that makes a brute force attack on it not feasible.

MD5 is a one-way hash function that is publicly available and produces a 128 bit hash value called a Message Digest. It is currently used in most e-mail security programs

Recommendation

All new applications should use SHA-1 for outgoing messages, but continue to accept MD5 and SHA-1 incoming messages as there already exist many MD5 implementations

Conclusions

content integrity should be provided by using a on-way hash value to ensure that the original message and the received message are the same, identical content

the hash value can then be the object that is digitally signed by the sender to provide authentication and Non-Repudiation of Origin