Latest updates to the OFTP2 protocol

The Odette OFTP2 Experts Group regularly reviews the protocol in order to ensure that it continues to meet current business and security requirements. The group has recently recommended several updates to the OFTP2 Implementation Guidelines to ensure that the large and growing OFTP2 community remains secure.

In recent years certain vulnerabilities have been identified in the TLS-protocol. The OFTP2 Expert group has considered the possible impact of these vulnerabilities on the OFTP2 protocol and has taken a number of steps to address it.

Extension of available ciphers for file-security during data exchange
With SHA-1 considered breakable in the near to medium future, SHA-256 and SHA-512 were added as supported hash-algorithms for secured file exchanges.

TLS 1.0 declared obsolete
Since a significant number of vulnerabilities have been found in TLS 1.0 and were fixed in later versions of the protocol, TLS 1.0 is now declared obsolete by the OFTP2 Expert Group and the use of higher versions is recommended. TLS 1.0 will, however, continue to be supported until all OFTP2 certified software providers have had sufficient time to change their underlying TLS-libraries and perform tests to ensure functionality. TLS 1.0 will then be declared as unsupported.

Use of Perfect Forward Secrecy with TLS
Many TLS-libraries come with standard-configurations preferring key-exchange-protocols relying solely on the private key of the server. If an attacker could get access to this key, all TLS-sessions in the past (if they were recorded in encrypted form) and in the future would be decipherable. This more theoretical event became a reality with the discovery of the Heartbleed-Bug in OpenSSL-libraries that were commonly used in systems all over the world. As a consequence of this, the OFTP2 Expert Group has decided to declare PFS-ciphers to be mandatory and to be preferred over non-PFS-ciphers in certified OFTP2-products. To ensure the continued interoperability of all certified OFTP2 softwares, the providers of these softwares took part in a new test cycle to check that communication is successful with PFS-based ciphers and that there are no problems with interoperability. The following softwares were tested and fully comply with the new requirement:

  • Axway;
  • c-works
  • Cleo
  • DAL
  • Data Interchange
  • Edicom
  • Huengsberg
  • Lobster
  • Numlog
  • Rocket Software
  • RSSbus
  • Seeburger
  • T-Systems
  • TTO
  • TX2 Concept
  • Xware