World Academy of Science, Engineering and Technology International Journal of Computer and Information Engineering Vol:2, No:10, 2008 A Study on the Secure ebXML Transaction Models Dongkyoo Shin, Dongil Shin, Sukil Cha, and Seyoung Kim terms and define and register business processes Abstract—ebXML (Electronic Business using eXtensible [3,8,9]. Nowadays, ebXML is regarded as an e-business Markup Language) is an e-business standard, sponsored by Web Service, where Web Services are a standard proposed UN/CEFACT and OASIS, which enables enterprises to exchange business messages, conduct trading relationships, communicate by the W3C (World Wide Web Consortium). In Web services, data in common terms and define and register business great interoperability and extensibility are offered thanks to processes. While there is tremendous e-business value in the the use of XML, and each Web Service can be combined in a ebXML, security remains an unsolved problem and one of the loosely coupled way in order to achieve complex operations largest barriers to adoption. XML security technologies emerging recently have extensibility and flexibility suitable for security [9]. Components providing simple services can interact with implementation such as encryption, digital signature, access each other in order to achieve business goals. control and authentication. While there is tremendous e-business value in the ebXML, In this paper, we propose ebXML business transaction models security remains an unsolved problem and one of the largest that allow trading partners to securely exchange XML based barriers to adoption. To ensure trust between business business transactions by employing XML security technologies. We show how each XML security technology meets the ebXML entities, a model for security is needed. The ebXML standard by constructing the test software and validating messages security challenge [3, 4, 8, 9] is to understand and assess the between the trading partners. risk involved in securing this new web framework based on our existing security technology, and at the same time track Keywords—Electronic commerce, e-business standard, ebXML, emerging standards and understand how they will be used to XML security, secure business transaction. resolve the risks that must be mitigated or reduced to an I. INTRODUCTION acceptable level in order for the entity to perform business functions. List of key risks for ebXML is identified as N the last few years, XML (eXtensible Markup Language) follows [4]. I[1] has rapidly become the first choice for defining data y Unauthorized transactions and fraud – businesses interchange formats in new e-business applications on the might be more at risk because of the increased Internet and the basis for e-business framework such as automation of transactions that could allow ebXML, RosettaNet and Web Services [2]. ebXML unauthorized access or fraud to be perpetrated. (Electronic Business using eXtensible Markup Language) is y Loss of confidentiality – transactions or specific entity a set of specifications for XML-based global infrastructure knowledge may be carelessly or deliberately opened on for e-business transactions, being driven by OASIS (the the network Organization for the Advancement of Structured y Error detection (application, network/transport, Information Standards) and UN/CEFACT (the United platform) – application errors can result in the Nations' Center for Trade Facilitation and E-business), transmission of incorrect trading information. which enables enterprises of any size and in any y Potential loss of management and audit – There is the geographical location to exchange business messages, potential for the loss of data if appropriate management conduct trading relationships, communicate data in common and auditing are not implemented. International Science Index, Computer and Information Engineering Vol:2, No:10, 2008 waset.org/Publication/12535 y Potential legal liability - Without the legislation for the Dongkyoo Shin (Phone: +82-2-3408-3242, e-mail: [email protected]) to whom corresponding should be addressed, and Dongil Shin (e-mail: legality of electronic transactions, the presentation and [email protected]) are with the Department of Computer Engineering, Sejong admissibility of electronic evidence is still immature University, 98 Kunja-Dong, Kwangjin-Gu, Seoul 143-747, Korea. and inconsistent between jurisdictions. Sukil Cha (e-mail: [email protected]) is with Korea Research Foundation, 25 HeunReung-Ro, Seocho-Gu, Seoul 137-748, Korea. There are well-known conventional security technologies Seyoung Kim (e-mail:[email protected]) is with the Center for Global that can be used by ebXML implementers to resolve the risks. Business, Korea Health Industry Development Institute, 57-1 Noryangjin-Dong, Dongjak-Gu, Seoul 156-050, Korea. Existing technologies such as user-id and password, PKI This study was supported by a grant of the Korea Health 21 R&D Project, (Public Key Infrastructure) [21] and token can provide user Ministry for Health, Welfare and Family Affairs, Republic of Korea. identification and authentication to solve the unauthorized (0412-MI01-0416-0002). International Scholarly and Scientific Research & Innovation 2(10) 2008 3389 scholar.waset.org/1307-6892/12535 World Academy of Science, Engineering and Technology International Journal of Computer and Information Engineering Vol:2, No:10, 2008 transactions and fraud problems in electronic business using one of the XML security standards, SAML, is systems. For the loss of confidentiality problem, SSL elucidated to assist the concept in the business transaction (Secure Socket Layer) [6] and S/MIME (Secure models. Multi-Purpose Internet Mail Extensions) [7] are used to A. Overview of ebXML provide confidentiality and authentication of endpoints. ebXML is a modular suite of specifications for the Typical tools such as anti-virus software and intrusion XML-based global infrastructure for e-business transactions, detection software can be used to resolve error detection that enables enterprises of any size and in any geographical problems and PKI can be exploited to resolve potential loss location to conduct business over the Internet. ebXML aims of management and audit problems. The potential legal to provide a standard method to exchange business messages, liability problem is resolved by policies and procedures conduct trading relationships, communicate data in common including audits and controls. terms and define and register business processes. The direct XML security technologies emerging recently have sponsors of ebXML are OASIS (Organization for the extensibility and flexibility suitable for ebXML security Advancement of Structured Information Standards) and implementation such as encryption, digital signature, access UN/CEFACT (United Nations Centre for Trade Facilitation control and authentication. XML digital signatures [11] and and Electronic Business) [3, 9]. The vision of ebXML is to SAML (Security Assertion Markup Language) [14] can be create a single set of agreed upon technical specifications exploited to solve the unauthorized transactions and fraud that consist of common XML semantics and related problems in electronic business systems. XML digital document structures to facilitate global trade. signatures are used in ebXML to provide data integrity on The technical infrastructure of ebXML is composed of the messages, existing authentication and authorization schemes following major elements: as well as non-repudiation between entities. SAML is y Messaging Service: The actual information recommended to provide identification, authentication and communicated as part of a business transaction. A authorization and often used with XACML (eXtensible message will contain multiple layers. On the outside Access Control Markup Language) to allow or deny access layer, an actual communication protocol must be used to an XML resource. XML Encryption [10] is recommended (such as HTTP or SMTP). SOAP (Simple Object to solve the loss of confidentiality problem. Also XKMS Access Protocol) is an ebXML recommendation as an (XML Key Management Specification) [13] is envelope for a message "payload." Other layers may recommended for key management as a substitute for PKI. deal with encryption or authentication. In this paper, we propose secure business Web Service y Registry: The registry is a database of items that support models based on ebXML that allow trading partners to doing business electronically. How applications interact securely exchange XML based business transactions by with the registry (registry service interfaces) and the employing XML security technologies. We have also minimum information model (the types of information developed the test software, which shows how each XML that are stored about registry items) that the registry security technology meets the ebXML standard by checking must support is specified. Examples of items in the messages between the modules. registry might be XML schemas of business documents, This paper is composed of six sections. Section II includes definitions of library components for business process overview of ebXML, XML security standards and single modeling, and trading partner agreements. sign-on scheme. In section III, two ebXML business y Trading Partner Information: It consists of two transaction models are proposed to securely exchange XML specifications: CPP (Collaboration Protocol Profile) based business transactions among trading partners by and CPA (Collaboration