Upload
phammien
View
219
Download
0
Embed Size (px)
Citation preview
Securing File Transfers from the IBM i
Bob Luebbe, CISSP
Chief Architect
Ron Byrd
Director of Professional Services
Introductions
www.LinomaSoftware.com
Agenda
Key pitfalls of using standard FTP
File-level encryption options (Open PGP and ZIP/AES)
Secure FTP (SFTP and FTPS) for encrypting “the pipe”
Advantages/disadvantages between SFTP and FTPS
Modern authentication techniques
Key and certificate management
Implementation using IBM utilities
What to look for in a commercial solution
Feel free to ask any questions
The 3 Truths about Standard FTP
1. You cannot always be sure that the entity with whom you are communicating is really who you think it is.
2. FTP data can be intercepted, so it is possible that it can be read by an unauthorized third party (attacker)
3. If an attacker can intercept the data, they may be able to modify the data before sending it on to the receiver.
How can your transmissions be monitored?
Network sniffer tools
Non-switched “shared” hubs (which pass traffic around the network)
Unsecured wireless networks
PC remote access software (e.g. gotomypc) to gain access to internal network
IP spoofing (hacker pretends to be a “trusted” partner)
Router vulnerabilities
Internet Service Providers (ISPs)
Sniffing FTP using WireShark (capturing user/password)
User and password in the clear
Sniffing FTP using WireShark (capturing data)
Data in the clear
File name in the clear
Cost of a Data Breach study conducted by the Ponemon Institute each year
Costs include admin and IT labor, notifications to customers, public relations, credit monitoring, lost business and regaining trust
$6.5 million average cost per data breach in 2015.
Approximately $217 per lost record.
Cost
in M
illio
ns
of
Dolla
rs
www.LinomaSoftware.com
Cost of a Data Breach
Encryption Basics
Encryption is the process transforming understandable text (plaintext) into an unintelligible piece of data (ciphertext).
Encryption hides the meaning of the message, but not its existence
Cipher is a pair of algorithms that perform encryption and decryption. Example ciphers are AES, TDES, BLOWFISH and CAST5.
Key controls the detailed operations of the Cipher algorithms. The output (ciphertext) is therefore manipulated by the Key. A Key is represented by bits (i.e. 101001…).
Symmetric Key Cryptology is a form of cryptology in which the sender and receiver share the same key. The key must be kept secret or the security is compromised. Also known as Secret key cryptology.
Asymmetric Key Cryptology is a form of cryptology that implements Key Pairs, in which the Public key portion of the Key Pair is used to encrypt information and the Private key portion is used to decrypt information. Otherwise known as Public Key Cryptology.
Before: The quick brown fox jumped over the lazy dog
After: „Œ \ËKä°BBY ý \åê·Ñ‚C‹Ÿ^{F+rÀJ[1]Ï(54Y3s
Options to Securing Data for Transmission
File Encryption only:Encrypt the file with a password (e.g. Zip with AES) or with akey (e.g. OpenPGP), then send over standard FTP or email
Connection Encryption only:Send the unencrypted file over an encrypted connection (e.g. Secure FTP, HTTPS, AS2, SMIME, etc.)
File and Connection Encryption:Encrypt the file with a password or key, then send over anencrypted connection
Can encrypt and compress multiple files into a single package
Password protection with AES encryption
Strength of password is critical to avoid brute-force attacks
Need to share passwords with trading partners securely
Number of ZIP compatible tools (PKZIP, WinZip, GoAnywhere…)
Standard ZIP Compression/Encryption
TERMS
OpenPGP standard is a non-proprietary and industry-accepted protocol which defines the standard format for encrypted messages, signatures and keys.
Private Key is the portion of a Key Pair which is used by the owner to decrypt information and to encode digital signatures. The Private key, typically protected by a password, should be kept secret by the owner and NOT shared with trading partners. Also known as a Secret Key.
Public Key is the portion of the Key Pair which is used to encrypt information bound for its owner and to verify signatures made by its owner. The owner’s Public key should be shared with its trading partners.
Widely used for protecting files to be sent over the internet.
Encrypt with Public Key -- Decrypt with Private Key (Secret Key)
Many products available that support OpenPGP
Latest standard is RFC4880 (see http://www.ietf.org/rfc/rfc4880.txt)
OpenPGP File Encryption
Caution: If an encrypted file is sent over a standard FTP connection,
the FTP user ids, passwords and commands are still in the clear.
OpenPGP Encryption Process
Steps performed during encryption:
1) The plaintext data is compressed
2) A pseudo-random Symmetric “session key” is generated (256 bit or less)
3) The session key is used to encrypt the compressed data
4) The session key is then encrypted with the Asymmetric Public key (up to 4096 bits). This encrypted session key is embedded in the message
Open PGP Message
Steps performed during decryption:
1) The embedded session key is decrypted with the Asymmetric Private key.
2) The decrypted session key is used to decrypt the compressed data
3) The data is uncompressed
DATA(encrypted with
Session Key)
Session Key(encrypted with Public Key)
Public KeyOpenPGP uses a combination of Asymmetric and Symmetric Keys to provide strong data protection and high performance.
OpenPGP Digital Signatures
A Digital Signature is used to authenticate the Sender
Sign with Private Key
Verify with Public Key
TERMS
Digital Signature is an electronic signature which is encoded into a document using the sender’s Private key. This signature can be authenticated by the recipient using the sender’s Public key. An authenticated signature will ensure the original content of the document has not been altered by an unauthorized party.
OpenPGP Algorithms
Encryption Algorithms (Used to encrypt/decrypt the data)
AES-128AES-192AES-256 (recommended)Blowfish CAST5 DES IDEA Triple DESTwofish
Hash Algorithms (Used to ensure the integrity of the data)
MD2MD5RIPEMD160SHA1SHA256SHA384SHA512
Compression Algorithms (Used to compress the data)
ZIPZLIB
Algorithm preferences are stored in the Public key.
OpenPGP on IBM i (Open Source or Commercial?)
Open Source - Load GnuPG on PASE environment
• Can be somewhat cryptic to set up (UNIX commands)
• See this article: http://systeminetwork.com/article/using-gnupg-pgp-i
• May require some programming (trapping for errors, etc.)
Commercial Product - Features to Look For:
• Supports RFC4880 standard
• Has a good key management system
• Can encrypt, sign, decrypt and verify files
• Is simple to setup and maintain
• Good error reporting and logs
The 3 Main Benefits of Secure FTP
Authentication - Secure FTP allows computer systems to ensure the identity of each other.
Data Privacy - Secure FTP creates an encrypted connection between computer systems, preventing the interception of users, passwords and data.
Data Integrity - Secure FTP implements hash functions to ensure that data was not modified in transit.
Two Types of Secure FTP
SFTP = FTP over SSH
FTPS = FTP over SSL/TLS
SFTP = FTP over SSH
SSH 2.0 is latest standard
Sometimes referred to as SCP 2.0
SFTP encrypts the entire connection
Popular in UNIX and LINUX systems
Trading partner must have a SFTP server (in order to connect to them)
Most FTP commands are supported (put, get, etc.)
TERMS
SSH is an abbreviation for Secure Shell. SSH is both a computer program and an associated network protocol designed for encrypting communications between two untrusted hosts over a network. It utilizes Public keys to provide asymmetric cryptology.
SFTP
SFTP Client SFTP Server
Authenticate with a User id and a Password, Key or both a Password and Key (Dual Factor)
Key authentication:
1. Create both a Public and Private key (Key Pair) – RSA or DSA, up to 4096 bits
2. Send the Public key to your trading partners. Don’t send private key/passphrase.
3. Specify the Private key when making the SFTP connection (for authentication)
SFTP - Authentication
SFTP Client SFTP Server
Private Key Public Key
The OpenSSH toolkit is available from IBM for no additional charge
Need to be on V5R3 or higher
Need to load the following licensed programs:
• PASE environment (licpgm 5722SS1 option 33)
• IBM Portable Utilities (licpgm 5733SC1 *base)
• OpenSSH, OpenSSL, zlib (5733SC1 option 1)
OpenSSH - SFTP using IBM Portable Utilities
Several versions of the OpenSSH toolkit are available. Display the directory of /QOpenSys/QIBM/UserData/SC1/OpenSSH/ to view the versions.
On V6R1 or higher, the Server Keys are automatically created.
On V5R3 or V5R4, create the Server Keys:
1. CALL QP2TERM
2. cd /QOpenSys/QIBM/UserData/SC1/OpenSSH/openssh-3.5p1/etc
3. ssh-keygen -N "" -t rsa1 -f ssh_host_key
4. ssh-keygen -N "" -t dsa -f ssh_host_dsa_key
5. ssh-keygen -N "" -t rsa -f ssh_host_rsa_key
In the above example, the “ssh_host_key” file will hold the SSH 1.0 RSA key. The “ssh_host_dsa_key” file will hold the SSH 2.0 DSA key.The “ssh_host_rsa_key” file will hold the SSH 2.0 RSA key.
On V5R3 or V5R4, Start the server by calling the following command on:
SBMJOB CMD(CALL QP2SHELL PARM('/QOpenSys/usr/sbin/sshd')) JOB(SSHD) + JOBQ(QUSRNOMAX)
On V6R1 or higher, IBM made it easier to start and stop the SFTP server.
To start the server: STRTCPSVR SERVER(*SSHD)
To stop the server: ENDTCPSVR SERVER(*SSHD)
OpenSSH – Starting the OpenSSH (SFTP) Server
Server Setup
The following steps are only needed on the client side if using public key authentication…
Determine the home directory for your user profile DSPUSRPRF USRPRF(my profile)
Call the PASE command shell program CALL QP2TERM
If a home directory does not exist, you will need to create itmkdir /home/userid
Your user must be the owner of the directory (7 grants your user profile with all authority, 5 grants the group read/execute authority, 0 gives the public no authority)chmod 750 /home/userid
Create the key pair without a passwordssh-keygen -t rsa -N “"
You will see the following messages during the key generation process:
• Generating public/private rsa key pair
• Enter file in which to save the key (/home/userid/.ssh/id_rsa)
By default, the key generator will create a .ssh directory under your home directory and will place the keys (id_rsa and id_rsa.pub) in that directory (unless you overrode it).
You will need to change the authority to the .ssh directorychmod 700 /home/userid/.ssh
OpenSSH – Creating a Client SSH Key Pair
Client Setup
The following steps are needed only on the server if using public key authentication…
For each user (client) that connects to the server, you need the following:• An existing user profile (8 or less characters) for the client• A home directory specified on the user profile• A .ssh directory under the home directory• Proper authorities:
- chmod 750 /home/userid- chmod 700 /home/userid/.ssh
The id_rsa.pub file (created in the prior slide) needs to be loaded on the server machine and put into a file called authorized_keys. The authorized_keys file needs to be placed in the .sshsubdirectory under your home directory. For example, /home/userid/.ssh/authorized_keys
The authority needs to be changed on this filechmod 600 /home/userid/.ssh/authorized_keys
If the file “authorized_keys” already exists, the best way to add the new key is to use the following command
cat /home/userid/.ssh/id_rsa.pub >> /home/userid/.ssh/authorized_keys
OpenSSH – Loading a Client Public Key on IBM i Server
Server Setup
OpenSSH is designed to only trust servers that are in it's "known_hosts" file.
Run the following command to download the server key information (-l means login name)ssh -T –l userid [my ssh server] exit
This command will sign onto the server and download the server’s key. If the key does not existin the “known_hosts” file it will ask you if you want to add it.
The authenticity of host 'ssh.example.com (192.168.0.1)' can't be established. . key fingerprint is DSA.
Are you sure you want to continue connecting (yes/no)?
Enter "yes”. It will automatically add this host to the known_hosts file in your .ssh directory.
Once you have done this, then you can run tools like "scp" or "sftp" without receiving the "Host key verification failed." error.
OpenSSH Client - Establishing the Server as a known Host
Client Setup
PGM
DCL VAR(&CMD) TYPE(*CHAR) LEN(500)
DCL VAR(&MSGDTA) TYPE(*CHAR) LEN(4)
DCL VAR(&MSGID) TYPE(*CHAR) LEN(7)
DCL VAR(&NULL) TYPE(*CHAR) LEN(1) VALUE(X'00')
/* Indicate the batch script file to execute */
CHGVAR VAR(&CMD) VALUE(‘/QOpenSys/usr/bin/sftp -b +
/home/rbyrd/batchfile.txt [email protected]' *CAT &NULL)
/* Execute the batch script file */
STRQSH CMD(&CMD)
/* Retrieve the message from the job log */
RCVMSG MSGTYPE(*COMP) MSGDTA(&MSGDTA) MSGID(&MSGID)
/* Failed if not QSH0005 */
IF (&MSGID *NE 'QSH0005' *OR %BIN(&MSGDTA) *NE 0) DO
SNDPGMMSG MSGID(CPF9897) MSGTYPE(*ESCAPE) MSGF(QCPFMSG) +
MSGDTA('SFTP failed!')
ENDDO
/* Success */
ELSE CMD(DO)
SNDPGMMSG MSGID(CPF9898) MSGTYPE(*COMP) MSGF(QCPFMSG) +
MSGDTA('SFTP succeeded!')
ENDDO
ENDPGM
OpenSSH – Running a SFTP batch script from CL
batchfile.txt
put orders1.txt
put orders2.txt
get invoices.txt
Client Example
Sniffing SFTP using WireShark (capturing data)
Encrypted Data
FTPS = FTP over SSL/TLS
Protects entire connection, including data, userspasswords, commands, etc.
Explicit FTPS – Normal FTP available, but client canexplicitly request server to switch to SSL/TLS
Implicit FTPS – Server forces client to use SSL/TLS fromthe initial connection (ask your trading partner if they support this first)
Trading partner must have an FTP server enabled for SSL/TLS
TERMS
SSL is an abbreviation for Secure Sockets Layer. SSL is a security protocol for encrypting communications between two hosts over a network. SSL utilizes certificates to establish trust between the two hosts.
TLS is the abbreviation for Transport Layer Security and is the successor to SSL.
FTPS
FTPS Client FTPS Server
As a client, you can verify that the partner’s server certificate is trusted
As a server, they can verify if your client certificate is trusted
Dual-factor authentication steps:
1. The certificates are verified (if required)2. The user and password is verified
FTPS - Authentication
FTPS Client FTPS Server
Client Certificate Server Certificate
Create/manage certificates using IBM Digital Certificate Manager
• Create a Server Certificate in the Digital Certificate Manager (DCM)
• Update the Certificate Assignment for the FTP Application in the DCM
• Export the Local CA Certificate from the DCM and import it into yourclient Certificate Store.
To start a FTPS explicit connection: FTP SECCNN(*SSL)
To start a FTPS implicit connection: FTP SECCNN(*IMPLICIT)
Either manually enter traditional FTP commands in the terminal window, orwrite FTP scripts and run from CL
FTPS using IBM utilities
open ftp.bank.com
user joe password
ascii
get /inbound/ack837.txt
get /inbound/ack763.txt
lcd /orderfiles
put ord7632.txt /outbound/
put ord9383.txt /outbound/
close
quit
FTP script CL Program
IBM i System Values For SSL
QSSLCSL Secure sockets layer cipher specification list
*ECDHE_ECDSA_AES_128_CBC_SHA256 *ECDHE_ECDSA_AES_256_CBC_SHA384 *ECDHE_ECDSA_AES_128_GCM_SHA256 *ECDHE_ECDSA_AES_256_GCM_SHA384*RSA_AES_128_CBC_SHA256 *RSA_AES_256_CBC_SHA256 *RSA_AES_128_GCM_SHA256 *RSA_AES_256_GCM_SHA384
QSSLCSLCTL Secure sockets layer cipher control
Default value: *OPSYSChange to: *USRDFN
QSSLPCL Secure sockets layer protocols
Protocols
Default value: *OPSYS Change to:*TLSV1.2 *TLSV1.1
Disable older hash algorithms like MD4 and SHA1. Only use SHA 2 family of SHA256 and SHA384
Only use TLS versions 1.1 and 1.2
FTPS – Sign into the Digital Certificate Manager
http://192.168.1.54:2001/QIBM/ICSS/Cert/Admin/qycucm1.ndm/main0
FTPS – Select a Certificate Store
FTPS – Enter the Password for the Certificate Store
FTPS - Creating a Server Certificate in the DCM
FTPS - Determine who will sign the Certificate
FTPS - Fill in Certificate Create Form
FTPS - Certificate Creation Message and Assign to Application
FTPS - Install the Local CA Certificate on Your PC
FTPS - Install the Local CA Certificate on Your PC
FTPS – Active vs. Passive
FTP/s communications is split into control and data channels.
• The control channel is used for sending commands, requests and responses
• The data channels are used for transferring data for commands such as ‘ls’, ‘get’ and ‘put’
Active FTP/s steps:
1. The client opens a control channel to the FTP/s server (typically on port 21).
2. The client opens a high port (greater than 1024) and sends a PORT command to the server telling it what IP address and port number it is listening on for active data connections.
3. The client then issues a command like LIST or GET to the server.
4. The server connects back to the client on the port previously opened on step 2 and transfers the data. When complete, the data channel is closed and the status is sent to the client via the control channel.
Passive FTP/s steps:
1. The client opens a control channel to the FTP/s server
2. The client sends a PASV command to the server to indicate passive mode.
3. The server opens a high port (greater than 1024) and replies back to the client with the IP address and port number it is listening on for data connections.
4. The client then issues a command like LIST or GET and connects to the server using this new port number establishing the data channel.
5. The data is transferred and the data channel is closed. The server sends a reply over the control channel to notify the client of the status.
Passive mode works better for clients that are protected by a firewall
Both standards offer a high level of data protection
Mainly depends on trading partner’s capabilities
SFTP is simpler to implement authentication (use a key, password or both).
SFTP is very popular in the LINUX/UNIX world
SFTP uses the single port 22 (by default) for all communications, which is easy to
open on your firewall
FTPS uses a random set of port numbers for each listing and data connection, which
your firewall may block (you may have to set up a range of allowable port numbers in your
firewall and configure in the client)
FTPS can use signed certificates (3rd party verification) to establish a chain of trust, in
which you don’t need certificates from each partner
Should I use SFTP or FTPS?
Secure FTP does not protect data “at rest”
Is your trading partner protecting your data after it arrives at their site?
Secure FTP – Potential issue
Your System
Plain-text fileSecure FTP Encrypted Tunnel
(Protects user ids, passwords and data)
Trading Partner
Plain-text file
Hacker
Trading Partner
Secure FTP will protect your FTP user ids, passwords, commands and data while in transit
OpenPGP will also protect your data in transit, but also “at rest”
Secure FTP and OpenPGP – A One, Two Punch!
Your System
Plain-text file
Secure FTP Encrypted Tunnel(Protects user ids, passwords and data)
Encrypted fileEncrypted file
OpenPGP(Public Key)
Plain-text file
OpenPGP(Private Key)
Note: Assumes that trading partner will decrypt your file only after it is moved to their internal protected network.
Programmers traditionally have to write Scripts,CL programs, .BAT files, etc.
Passwords are often stored in the scripts (in the clear)
Scripts need to be maintained by Programmers:- When host names and IP addresses change- When user ids and passwords change- When file names change
Can become very complex and unmanageable, especially as you add more trading partners
Difficult to include/exclude files based on variables, wildcards, timestamps, sizes, etc.
Lacking IF/ELSE controls (commands typically just run in sequential order)
Some organizations use PC Tools for FTP/SFTP/FTPS transfers, in which files have to first be downloaded from the corporate server:- This exposes the file(s) on the PC (vulnerable to hackers)
- Download is often done manually to PC, which consumes time and is subject to errors
open ftp.bank.com
user joe password
ascii
get /inbound/ack837.txt
get /inbound/ack763.txt
lcd /orderfiles
put ord7632.txt /outbound/
put ord9383.txt /outbound/
close
quit
FTP Scripting and Management Issues
Difficult to find and analyze FTP logs to determine what problems occurred
Example portion of a traditional FTP log:
Manually or programmatically read through the OUTPUT log to find exact error
Are you notified when problems occur… or do you wait for the trading partner to call you?
> cd testftp
250 "TESTFTP" is current library.
Enter an FTP subcommand.
> lcd testftp
Local working directory is TESTFTP
Enter an FTP subcommand.
> put demodemo
File DEMODEMO in library TESTFTP not found.
Enter an FTP subcommand.
> quit
221 QUIT subcommand received.
Error
Error Trapping and Notification Issues
Installs on the IBM i
Supports popular secure protocols such as OpenPGP,ZIP/AES, SFTP and FTPS
Includes Key Management tools for OpenPGP keys, SSH keysand SSL certificates
Has good authorization controls (preferably with role-based access)
Keeps trading partner user credentials separate from OS user profiles
Allows transfers to be initiated from your applications (e.g. RPG, CL) and scheduler
Includes monitors that can “watch” for new files in specified folders
Has centralized audit trails (with good reporting tools)
Can alert you when problems occur via system messages or email
Can be set up and used without programming skills
Commercial Managed File Transfer (MFT) Packages
Features to look for…
Web site: www.linomasoftware.com
E-mail: [email protected]
Toll-free: 1-800-949-4696Direct: (402) 944-4242Fax: (402) 944-4243