In a pilot program beginning in August 1995, Bank of America and Lawrence Livermore National Laboratories (LLNL) in Livermore, CA, transmitted financial EDI over the Internet successfully for eight months. The project involved LLNL sending payment request data to the bank, the bank processing the request and paying LLNL's vendors out of the laboratory's account, and sending an acknowledgment back to LLNL.
"We determined that the Internet was viable for this type of business," says Bill Jetter, Bank of America vice president and product consultant in San Francisco, summing up the results of the pilot. "From the bank's perspective, it's a glowing success." Further, Jetter says the bank plans to extend the same type of service to some of its business customers on a regular basis. A formal report is expected to be published by the Fisher Center for Information Technology and Management at the University of California at Berkeley and the CommerceNet consortium, both of which studied and monitored the pilot.
Simple Mail Transfer Protocol (SMTP) was used to send the EDI messages over the Internet, and for security standards both Privacy Enhanced Mail (PEM) and Multipurpose Internet Mail Extensions (MIME) were used. PEM/MIME employs technology from two security standards: the Data Encryption Standard (DES) and the public/private (asymmetric) key technology patented by RSA Data Security. In the pilot, to sign the data with a digital signature, the sender used an algorithm to generate a string of text unique to the data being sent, then encrypted the data string with a private key to produce the digital signature. The signature can be created only by the sender but can be verified by anyone with access to the corresponding public key. Then, to keep the data confidential, the sender generated a random, private DES key--a symmetric key--and encrypted the data with it.
Once the data was encrypted, RSA technology was used to encrypt the private DES key using the public key of the receiver. The secured data and private DES key were then sent. Only the intended receiver had the private key to unlock the DES key, which in turn was used to unlock the encrypted data. The receiver used the sender's public key to decrypt the signature and verify who sent the data.
The pilot was extended beyond its originally planned six months in order to generate higher volumes of data through the Internet. Jetter says that the only problems encountered involved fine-tuning the processing at each end either before transmitting or after receiving it. The pricing of data transmission and improved timeliness are the two biggest advantages in his view.
"We used the pilot to learn more about how to create an almost seamless, straight-through processing at the bank, and toward that end, we are in the process of developing some new systems. We hope to have those in place later this year in a commercial-grade environment," Jetter says.