Using SFTP in NIST 800-131a compliance mode

Using Secure File Transfer Protocol (SFTP) ensures that data is transferred securely using a private and safe data stream. SFTP is the standard data transmission protocol for using with SSH2 protocol.

Before establishing a connection, the SFTP server sends an encrypted fingerprint of its public host keys to ensure that the SFTP connection will be exchanging data with the correct server. When the connection is first established, the key is not yet known to the client program and must be confirmed by the user before data is exchanged. Upon connection to an SFTP server and verification that the correct server is being used, the fingerprint information should be saved locally. This allows you to check the fingerprint information against the data you save when you establish a new connection and ensures that no one is between you and the server. Different servers issue fingerprints only once and they are generated by a server's private key. As per the NIST 800-131a SP 800-131a standards, Sterling B2B Integrator supports a certain key length in the different security modes.

As part of the SFTP Client NIST 800-131a compliance, a validation occurs at the SFTP Client Begin session level for any security-related configurable parameter for NIST 800-131a restrictions. If a non-compliant parameter is found, the communication fails and an error is logged in the SFTP client as well as the process status about the non-NIST 800-131a compliance.

Compliance is validated for these areas:
  • Ciphers
  • Macs
  • Known host keys
  • User Identity keys
You can use these key lengths for NIST 800-131a mode to establish client-server communication:
Table 1.
Key Length NIST 800-131a Compliant
SSH1-RSA 768, 1024, 1536 (Non-compliant), 2048 (Strict)
SSH2-DSA 768, 1024, 1536 (Non-compliant), 2048 (Strict)
SSH2-RSA 768, 1024, 1536 (Non-compliant), 2048 (Strict)

If you are running in NIST 800-131a compliance mode and your SFTP server adapters are configured in noncompliant mode, you can view the Advanced State from the Services Configuration page. A state of Start failed appears and the Adapter will be disabled.

SFTP Client GPM

If you are running in NIST 800-131a compliance mode, the SFTP Begin Session Service configuration in the GPM shows only the values that are compliant with NIST 800-131a strict mode.

SSH Remote Profile

The SFTP Client Begin session can be configured using the Profile Id for the SSH Remote profile. This configuration maintains all the information about the remote server that the client can use for connection. If running in NIST 800-131a compliance mode, only compliant information is available during the profile configuration and existing profiles configured with non-compliant information are highlighted in red with a message Not NIST SP800-131a compliant.

Known Host Key

All keys must match the NIST SP 800-131a standard. Only the compliant keys are enabled for SSH Known Host Key. All others are disabled.

If a non-compliant key is attempted to be checked in, an error occurs indicating that the key is NOT NIST SP800-131a compliant, check in fails, and a message is logged in the ui.log file. Only keys that are compliant to the NIST SP 800-131a standard can be used when running in NIST 800-131a strict or compliance modes.

If a non-compliant key is attempted to be enabled, an error occurs and this message appears: Unable to enable the selected key. Not NIST SP800-131a compliant.

If a Fetch Key is attempted and the key(s) do not meet the NIST 800-131a standard, check-in fails.

Authorized User Key

If noncompliant keys are attempted to be checked-in, check-in fails and the non-compliant key is disabled.

User Identity Key

During key creation, only compliant keys are listed. All other keys at check-in are not allowed.

Host Identity Key

Key length is restricted to NIST 800-131a mode for key creation and only NIST 800-131a compliant keys are shown as enabled. All other keys at check-in are not allowed.

If a non-compliant key is attempted to be enabled, an error occurs and this message appears, Not NIST SP800-131a compliant.

Client and Server Communication

When the client and server communicate to negotiate the ciphers and macs, only NIST 800-131a compliant ciphers and macs are used for NIST 800-131a compliance mode.

Limitation of Third Party Communications When in Strict Mode for SFTP

For Sterling B2B Integrator versions 05020402 and higher, public and private SSH keys generated by Sterling B2B Integrator have Q values of 256 bits. This is the default behavior and it impacts some communications when utilized with 2048-bit DSA keys. When using Sterling B2B Integrator to Sterling B2B Integrator SFTP communication, there is no impact. When using Sterling B2B Integrator with Third Party communications with DSA keys, there is no impact for the keys generated externally since they have Q values of 160 bits; however, if the keys are generated through Sterling B2B Integrator, it may impact communication where the Third Party application is not able to process DSA keys with Q values of 256 bits. In this case, communication fails for the client or server at the key verification step with a failure to process 2048 DSA keys. To resolve this issue, you can create keys with an external tool, such as PuttyGen to create 2048 DSA keys that have a Q value of 160 bits.