Standards for Technology in Automotive Retail

 Home -  News Feed 

8.4. Message-Level Security Versus Infrastructure Security

STAR recommends Message-Level security be applied where applicable. The key benefit of Message-Level security is the ability to route secure messages through multiple parties, endpoints, applications and or transfer protocols. In lieu of Message-Level security, STAR recommends Infrastructure-level security such as SSL.

If parties agree, security may be applied at both Message-Level and transfer Infrastructure-Level.

STAR recognizes that there are specific messages that do not require advanced security features such as Encryption. For example, if a message is a simple request to display a picture of a car model, the request and reply messages do not reasonably require any special security features.

Figure 8.1. Infrastructure Level Security

Infrastructure Level Security

When security is applied at the transfer Infrastructure-Level, Identification and Authorization are handled by a transfer level protocol, the most common standard being SSL. SSL provides encryption of the entire message during its transport over the network. During the initial SSL handshake a shared key is generated allowing for highly performant encryption, and the entire message is encrypted as it travels over the network. The handshake also requires the Authentication of the Receiver.

The Sender’s system authenticates:

  1. It believes the digital certificate presented by the Receiver is associated with the Receiver

  2. The Receiver’s digital certificate has been digitally signed by a party the Sender trusts

Optionally, the Receiver may request that the Sender present a digital certificate, which the Sender may then validate.

In other words, the Sender always authenticates the message Receiver; the Receiver may optionally authenticate the message Sender.

Advantages of an Infrastructure-Level Security include:

Possible disadvantages of Infrastructure-Level Security include:

When security is applied at the Message-Level, a message may be encrypted, may be digitally signed or both.

Advantages of Message-Level Security include:

Possible disadvantages of Message-Level Security include: