FTP over Secure Sockets Layer (FTP/S)

Youcan use FTP/S to connect to Sterling B2B CollaborationNetwork throughthe FTP/S gateway. SSL is a commonly-used protocol for managing thesecurity of a message transmission on the Internet. SSL uses the public-and-privatekey encryption system from RSA which also includes the use of a digitalcertificate. The use of the digital certificate is the only differencebetween FTP and FTP/S. The FTP/S gateway supports standard FTP/S withclear control channel (CCC) enabled.

Adigital certificate is an electronic identification card that proveswho you are when doing business or other transactions on the Internet.It can be either self-signed or issued by a certification authority(CA). The certificate contains a company name a serial number expirationdates a copy of your public key (used for encrypting messagesand digital signatures) and the digital signature of the certificate-issuingauthority so a recipient can verify that the certificate is real.You are sent the IBM? digitalcertificate containing the IBM public key to usethe FTP/S gateway. In this RSA system a private key never needs tobe sent across the Internet only the public key is sent. You do notneed to send your digital certificate to IBM.

Your systemwill either upload data to Sterling B2B CollaborationNetwork throughthe FTP/S gateway (also called a put or push) or download data fromthe FTP/S Gateway (also called a get or pull).

Secure Shell FTP (SFTP)

TheSSH File Transfer Protocol (SFTP) is a network protocol that usesSecure Shell (SSH) to transfer files. SSH uses public-key cryptographyto authenticate the remote computer and allow the remote computerto authenticate the user if necessary. Unlike standard FTP it encryptsboth commands and data preventing passwords and sensitive informationfrom being transmitted in the clear over the network. The entire loginsession including the transmission of the password is encryptedmaking it much more difficult for an outsider to observe and collectpasswords. By encrypting all traffic SFTP effectively eliminateseavesdropping connection hijacking and other network-level attacks.

SFTPis not simply FTP run over SSH; SFTP is a new protocol. It is functionallysimilar to FTP but because it uses a different protocol you cannotuse a standard FTP client to talk to an SFTP server nor can you connectto an FTP server with a client that supports only SFTP.

Pretty Good Privacy (PGP)

Ifyou require additional security for your FTP data you can work withthe Network Implementation team to change or set up your account touse Pretty Good Privacy (PGP) over FTP. The PGP feature is set upat the mailslot level.

PGP uses both public-key and private-keycryptography and includes a system that connects the public key toa user's identity. The message recipient must have previously generateda linked-key pair which includes a public key and a private key.

Thesender uses the recipient's public key to encrypt a session key whichis then used to encrypt the text of the message. The message recipientdecrypts the message using the session key which was included inthe message in encrypted form and is decrypted using the recipient'sprivate key.

A similar strategy is used to detect whether amessage has been altered since it was completed and whether it wassent by the company claiming to be the sender. The sender uses PGPto add to the message a signature that is created using the sender'sprivate key.

Sterling B2B CollaborationNetwork performsthe following actions:

• Performs PGP decryption and encryption as messages come into andout of its FTP gateways.
• Verifies and generates digital signatures on inbound and outboundPGP messages.
• Holds the private PGP keys of hosted customers so that it cansend and receive encrypted messages on behalf of those customers.This allows Sterling B2B CollaborationNetwork todecrypt and process incoming messages that have been encrypted withthe public key as well as sign outgoing messages so they appear tocome from the hosted customer.
  Note:

  • As your PGP keys approach their expirations you will receivee-mail notifications informing you of the expiration dates to allowyou update your PGP keys.
  • IBM recommendsone PGP lexical unit per PGP encryption.