Considerations in Secure Data and Information Exchange Protocols Between Banks and Corporations
Author: Donovan Perkins,
Vice President of Business Development,
AP Technology
Abstract: Explains the primary methods of secure data transfer between banks and their corporate clients (TTY, FTP, S-HTTP), giving a general description, security requirements and the advantages and disadvantages of each protocol.
There are three primary protocols by which data transfers take place in the banking community: modem-to-modem TTY, secure FTP, or Secure HTTP (also called S-HTTP or https). Most banks currently offer all three protocols (TTY, FTP, Secure HTTP) for the exchange of data and information between themselves and their corporate clients. Each protocol may be used to secure data and information exchanges, but each has its own unique set of advantages and disadvantages for the bank and client. This paper will describe the three protocols: a general description, the ways each can be implemented to provide secure data transfer, and the advantages and disadvantages for each.
Most modem users are unaware of how easily critical data can be accessed if there is no modem security software or data encryption scheme in place.
The growth of the Internet and the World Wide Web has opened the door to an array of data transfer options and security issues. In the 1970s most enterprise critical software applications ran on mainframes and security was not a major concern. With the rise in enterprise local area networks (LANs) in the 1980s, more data became readily available to even more users, and internal network security became a concern. As the use of wide area networks (WANs) grew in the 1990s and the race was on for every business to find its place on the World Wide Web, major internal and external security risks emerged.
Modem-to-Modem
As the Internet continues to grow and the focus is on migrating to high-speed dedicated Internet access, businesses are also starting to move away from using dial-up modems for data transfer. The use of dial-up connections is still strong today, but there are security weaknesses and a diminishing level of support, as well as higher costs associated with this mode of data transport.
Modem-to-modem TTY involves a simple dial-up connection where data is then transferred over telephone wires. These copper-to-copper connections are the legacy means for handling data transfer.
Securing Modem-to-Modem Data Transfers
Modem security rests with the client, and most modem users are unaware of how easily critical data can be accessed if there is no modem security software or data encryption scheme in place. However, companies rarely use modem data encryption methods, such as PGP, or tools designed to monitor telecommunications systems for unauthorized activity. Also, there is typically very poor coordination between telecommunications and network professionals to jointly consider security issues. Companies deploy firewalls to protect their network from intruders, but they often fail to consider an open backdoor - the networked, dial-up desktop computer.
Modem Advantages
- Corporate clients can make use of their current modem technology investment.
- Custom scripts can be developed for the automated exchange of data and information between banks and clients.
Modem Disadvantages
- The typical corporate modem connections are usually not secure.
- Slow data transfer rates typically below 14.4kbps.
- Most businesses fail to recognize, or they choose to ignore their vulnerability from unauthorized dial-up access.
- Modem technology is older and not as well supported as other connectivity technologies.
- Maintenance of modem banks is expensive, CompuServe is the outsourcing solution most often used by banks.
- Managing keys for encryption schemes, such as PGP, can be problematic.
File Transfer Protocol
File Transfer Protocol (FTP) is an Internet Standard protocol that has been used by network engineers and systems administrators to send files back and forth between remote systems since the early days of the Internet. FTP was originally defined in the early 1970s to transfer files to and from various ARPANET nodes. It has since become a common way to transfer bulk files for organizations of all types. For bank data transfers with clients, it is critical for these FTP connections to be secure. Standard FTP sends files in clear plain text that can readily be intercepted. In contrast, secured FTP provides for strong authentication with data encryption for files being transferred.
Various products have been developed to secure FTP data transmissions using trusted authentication and encryption schemes.
FTP Security
The FTP protocol typically opens up two channels of communication with the server. Through one channel, commands (including login) are sent, and through the other, data is passed back and forth. Currently there are multiple ways of securing FTP. Some secure FTP implementations are intended to secure only the data channel; others secure only the command channel, and some secure both. These different secure implementations, all known as FTPs, have different levels of communication security and FTP servers are usually configured to support only one of them. The client must be configured to support the connection.
Various products have been developed to secure FTP data transmissions using trusted authentication and encryption schemes. Most secure FTP products use encryption and X.509 certificates for authentication. X.509 certificates are composed of multiple attributes including public keys used for asymmetric public key cryptography. There are numerous encryption algorithms used in secure FTP products, including DES, 3DES, CAST-128, Blowfish, AES-128, and others.
PGP is one of the most popular ways of encrypting data, and it allows data to be encrypted over an insecure connection. PGP works with all the data transmission protocols: FTP, email, modem, etc.
OpenSource Secure Shell (SSH), Secure Socket Layer (SSL), and Virtual Private Networks (VPNs) are some possible secure protocol mechanisms for FTP. These mechanisms basically create a secure tunnel between a client and server, from firewall to firewall.
OpenSource Secure Shell
What is referred to as SecureFTP (SFTP), uses only one channel and uses encryption to make sure neither the commands nor data can be easily eavesdropped, and it is implemented with OpenSource Secure Shell (SSH). SSH enables a user to routinely FTP into a server without putting out passwords and usernames in clear text over the network, but rather having them encrypted via the secure shell port. SSH also uses compression, thus enabling the advantage of faster FTP transfers.
Secure Socket Layer
Secure Socket Layer (SSL) is another way to secure FTP data transmissions. SSL developed by Netscape Communications (Mountain View, CA) for transmitting private information (e.g. a bank's data transmission to a corporate client) between a client and server through a TCP/IP connection. The protocol is application independent. This means application protocols, whether they are FTP, HTTP, telnet, gopher, Network News Transport Protocol (NNTP), or Simple Mail Transport Protocol (SMTP), are easily and transparently layered on top of SSL, and TCP/IP is layered beneath. When both a client and a server support SSL, all data transferred between them is encrypted.
Virtual Private Network
A Virtual Private Network (VPN) is an IPsec-compliant (IPsec = Internet Protocol Security) gateway. A VPN is a "restricted-use" computer network that is comprised of system resources from a relatively "public" network (such as the Internet), often by using encryption (located at hosts or gateways), and often by tunneling links of the virtual network across the Internet. For example, if you have two LANs you wish to securely connect, each connected to the Internet by a firewall, one option would be to create a VPN by using encrypted tunnels to connect exclusively from firewall to firewall across the Internet. A VPN is generally less expensive to build and operate than a dedicated real network, because the virtual network shares the cost of system resources with other users of the Internet.
FTP Advantages
- FTP is a long-established protocol for data transfer that network engineers and administrators are comfortable using.
- Securing FTP with SSH, SSL, VPN, or another security measure is a viable and solid solution for data transmission to and from a bank's corporate clients.
- Custom scripts can be developed for the automated exchange of data and information between banks and clients.
One of the major challenges with implementing a secure FTP connection is that some of the encryption solutions are expensive and complex to implement, requiring both the sending and receiving parties to have the same encryption software implemented.¹
FTP Disadvantages
- There is no clear encryption path or universal security protocol scheme.
- Most companies with connections to the Internet have implemented firewall solutions to protect the corporate network from unauthorized use.
Typically, it is challenging for network personnel to implement protocols that fully secure the link between client and server on opposite sides of a firewall and also secure the actual data sent. - FTP servers are usually specifically configured to support one method of secure data transfer. The FTP clients don't support all secure FTP connections (some do), but usually the client must be specially configured to handle the secure data transfer from the server.
- One of the major challenges with implementing a secure FTP connection is that some of the encryption solutions are expensive and complex to implement, requiring both the sending and receiving parties to have the same encryption software implemented on both ends of the file transfer. For example if you are using a VPN to secure your FTP file transfers, it requires implementing VPN software or VPN appliance, at each end point. If digital certificates are used for implementing a VPN or Secure FTP, proper key exchanges must be made, and private keys need to be secured.¹
- Managing keys for client implementation of encryption schemes such as PGP is difficult as well as a costly annoyance for both clients and banks.
- There have been some noted security breaches with SSH1 where data could be fairly easily decrypted in transit, but these appear to have been corrected with the release of SSH2. The Secure Shell (SSH) protocol which itself is considered strong is often weakly implemented. Some of the SSH implementations for FTP server-client combinations behave rather erratically.
Current practice is to layer HTTP over SSL, distinguishing secured traffic from insecure traffic by the use of a different server port.
This same practice can be done using Transport Layer Security (TLS v1) protocol, which is the successor to SSL.
Secure Hypertext Transfer Protocol
Securing HTTP enables users to send individual messages securely over the web. When https is used in the first part of a URL (part that precedes the colon and specifies an access scheme or protocol), as opposed to http, this term specifies the use of HTTP enhanced by a security mechanism, which is usually Secure Socket Layer (SSL v2/v3). Current practice is to layer HTTP over SSL, distinguishing secured traffic from insecure traffic by the use of a different server port. This same practice can be done using Transport Layer Security (TLS v1) protocol, which is the successor to SSL.
HTTP Security
TLS, and its predecessor SSL, were designed to provide channel-oriented security. Secure HTTP (S-HTTP) is in most cases created by running SSL under HTTP, and the web server has an SSL certificate. The certificate is unique to a web server and therefore authenticates the server's identity. When the Secure HTTP protocol is in use, a padlock in the browser status bar is usually what indicates the secure status.
Until now, Secure HTTP provided no obvious means of scripting to automate authentication, decryption/encryption of data, and desired file delivery/receipt handling. Transporter from AP Technology offers unattended web upload and download of client files using Secure HTTP.
The entire communication link between client and server is encrypted through the Secure Socket Layer (SSL), and SHTTP encrypts each message on an individual basis rather than sending them directly as plain text. The encryption includes public/private encryption key pair (PKI: Public Key Infrastructure) that makes the messages hard to eavesdrop or decode. The security works in both directions. That is, information passed to the server is encrypted and so is information returned from the server.
The S-HTTP protocol emphasizes maximum flexibility in choice of key management mechanisms, security policies and cryptographic algorithms. Secure HTTP provides a variety of security mechanisms to HTTP clients and servers, as it is intended to be flexible in providing security service options appropriate to the wide range of possible applications over the web. S-HTTP is intended to incorporate different cryptographic message formats into www browsers and servers. This will include PEM, PGP, PKCS-7, CMS, MOSS, RC4, DES, triple-DES, etc.
As mentioned earlier, SSL is a low-level encryption scheme that is used to encrypt transactions in higher-level protocols such as HTTP and FTP. The SSL protocol provides for server authentication (verifying the server's identity to the client), data encryption, and optional client authentication (verifying the client's identity to the server).
S-HTTP and SSL each require the right combination of compatible browser and server to operate, so none is yet the universal solution. SSL is currently implemented commercially on several different browsers, including Netscape Navigator, Secure Mosaic, and Microsoft Internet Explorer, and many different servers, including ones from Netscape, Microsoft, IBM, Quarterdeck, OpenMarket and O'Reilly and Associates.
Running HTTP over Transport Layer Security (TLS) is another option for securing HTTP. Secure traffic can be distinguished from insecure traffic by using a different server port, in the same way as HTTP over SSL, or there is a method for using HTTP/TLS over the same port as normal HTTP. The TLS Working Group was established in 1996 to standardize their protocol. They began with SSL v3 and in 1999, TLS v1 was published. The primary purpose of the group is to advance the TLS protocol to Internet Standard.
Secure HTTP Advantages
- Secure HTTP, which is already built into your online banking system, provides an ideal avenue for secure file transfer to and from your corporate clients.
- Secure HTTP, when implemented properly on the client and server side, is a very secure solution for all types of data transmission for a bank's corporate clients.
- Secure HTTP protocol emphasizes maximum flexibility in choice of key management mechanisms, security policies and cryptographic algorithms.
Secure HTTP Disadvantages
- Secure HTTP provides no obvious means of scripting to automate authentication, decryption/encryption of data, and desired file delivery/receipt handling.
Conclusion
This paper has reviewed three protocols that are commonly used for secure data exchange: modem-to-modem TTY, secured FTP, and Secure HTTP.
TTY / Modems - The use of modems for data transfer is diminishing as newer technology gains a foothold. Modems typically offer weak security because data encryption schemes and security software are rarely implemented.
FTP- FTP is a long-standing Internet protocol for data exchange and there are currently many ways to design a secure FTP implementation. The downside is that secure FTP data transfers require servers and clients be specifically configured to work together - often requiring the same software running at both ends. These secure data exchange solutions can be complex and expensive to implement and maintain.
Secure HTTP - Secure HTTP offers an ideal solution for data since it is already built into your online banking system. Secure HTTP, does not offer any obvious path for automating file transfers.
It is worth considering how your bank is currently handling file exchanges to determine if the "client/bank connection" offers the optimum balance of ease of use, access, cost and security. Transporter from AP Technology offers unattended web upload and download of client files using Secure HTTP, SFTP (SSH) and FTP-s (SSL).
AP Technology, a leader in secure data exchange technology facilitating the exchange of data and information between banks and corporations, offers expert knowledge and industry-leading products.
