OFTP2

OFTP2 is the second generation of the OFTP IT protocol for data transmission and stands for "Odette File Transfer Protocol 2". In contrast to FTP , file transfers that have already started can be resumed if the connection is interrupted and complete receipt can be confirmed by the target computer. Both were and are absolutely necessary because OFTP is used when transferring large IT files (CAD drawings, etc.). In its first version, the protocol did not require encryption and was mainly operated on the basis of ISDN connections, as these were much more difficult to intercept. With OFTP2 the use of TLS or its predecessor SSL was implemented, whereby a secure and modern data transmission over the Internet can be guaranteed.

The procedure and sequence of the processes to be handled with OFTP2 must be compared in advance with the company's data security guidelines and, if necessary, adjusted. The type of files to be transferred and their level of confidentiality provide the framework for the use and classification of IT security measures. With regard to the selection of the OFTP2 software to be used, it must be ensured that the corresponding program has successfully passed the Odette interoperability tests.

OFTP2 security technology - encryption

Three IT security levels have been defined for the use of OFTP2 software:

1. Security of the connection: The basis for the file transfer is a connection via the network protocol TCP / IP, which is predominant in IT, in which each data packet is individually encrypted with TLS (or SSL). The X509 format is used as the standard for the certificates used, which describes the PKI (Public Key Infrastructure) and the CMS format and enables the creation of digital signatures.
2. Data encryption: OFTP2 encrypts the files asymmetrically and consequently uses a matching key pair (private and public key). The public key is sent or communicated to the transfer partner, who can then decrypt the data encoded with the private key with his public key. Only the recipient can make the data readable in this way.
3. Verification and signing: Using so-called hash values, the files and the transferred file segments are checked and identified using their own private key. This allows large files to be transferred safely.

IT authentication and certificates

In a special list (TSL = Trust Service Status List), all issuers of certificates (CA) that have been checked according to defined IT standards are stored. If a transfer partner receives a certificate, he calls up this list for a confidentiality check. OFTP2 offers the following three mechanisms for generating certificates, each of which is reassured via telephone or other means to increase security:

1. Self-signed certificates: The certificate is generated by the partner himself.
2. Certificates from an authorized body (certificate authority (CA)): The partners receive the certificate from one - or possibly several - bodies.
3. Mutually signed certificate: A partner sends a certificate that is countersigned by the remote station (the recipient) and sent back.

Establishing a secure IT connection via OFTP2

As a rule, data transfers are initiated from both sides, which is why the prerequisites for creating the certificates should be met by all partners. The production can take place in several stages.

• Level 1: Basic connections via TLS: The simplest and less security-intensive transmission is a TCP / IP connection, the data stream of which is encrypted using TLS. Here, not the data itself, but only the point-to-point connection is secured with keys. Any authentications do not take place.
• Step 2: Exchange of encrypted and signed data via OFTP2: Here, the exchange of certificates must be regulated in advance. Usually, a certificate application is submitted to a CA before the file transfer. It makes sense to apply for the full functionality for line and data encryption (including root certificate) here.

The owner of the certificate notifies the recipient of the public key (part of the certificate). This compares the information by accessing the TSL list through its OFTP2 software.

The certificates only need to be exchanged once before the first transfer. In addition to the automatic synchronization of the systems, authentication via telephone or email should also be carried out for security.

Web links

• RFC5024 - OFTP 2, replaces RFC2204
• RFC2204 - ODETTE File Transfer Protocol
• Odette website
• VDA recommendation 4900 "Remote data transmission of ODETTE messages", January 1991
• VDA recommendation 4912 "File Transfer Protocol", March 1988