Secure Transfers on z/OS FTP with Data Encryption

In a standard FTP session, all the data, including log-in credentials, are transferred in plain text. It is easy to snoop around an FTP transmission and capture sensitive data, resulting in great loss for a business. Mainframes contain business–critical information, so FTP use on the mainframe can be fatal for an organization.

File transfer technologies on z/OS
To avoid security issues caused by using FTP, the protocol has been extended a number of times with different security protocols/technologies. The security protocols/technologies provide authentication mechanisms to identify both ends of a connection, message integrity to ensure messages don’t change in transit, confidentiality protection to prevent eavesdropping, and non-repudiation to provide undeniable proof that a message was sent and received, and by whom. They help to mitigate identity theft, theft of service, and eavesdropping. They ensure accountability. Most security technologies provide similar functions. They differ chiefly by operating at different layers of the IP stack layer.

On the z/OS platform, the most common technologies for secure file transfer are IPSec, SSH, and SSL/TLS.

Understanding SSL/TLS
FTP over SSL/TLS, better known as FTPS, is an extension that adds security to regular FTP by adding SSL (Secure Sockets Layer) and TLS (Transport Layer Security) cryptographic protocols. SSL is the original version of the technology. TLS is its successor. SSL/TLS is commonly used to protect HTTP sessions (the HTTPS protocol) as well as FTP sessions (FTPS).

SSL and TLS are widely recognized protocols that allow mutual authentication by establishing an authenticated and encrypted communication between the client and the server. Strong authentication, privacy, message integrity, algorithm flexibility, and ease of deployment and use are a few of the benefits of using SSL/TLS over other methods. On z/OS, SSL/TLS can be used by configuring AT-TLS (application-transparent TLS), which implements SSL/TLS security at the TCP transport layer, rather than at individual applications.

Cryptographic encryption
In cryptographic encryption, mathematical algorithms are used to transform data. The encrypted data is unreadable without the help of a secret key. The longer the key, the stronger the security. The chief limitation of cryptographic encryption is that it is CPU-intensive. It increases processor loads and thus affects system performance.

There are two types of encryption keys: symmetric and asymmetric.

Symmetric keys
Also known as conventional cryptography or secret-key encryption, this strategy requires both the client and the server to share a common key, which is used to encrypt and decrypt a message. This type of encryption is fast and is often used for bulk encryption/decryption. The major disadvantage lies with the task of securely exchanging the key.

Asymmetric keys
Also known as public-key cryptography, this method requires two different keys: the public key is for encryption; the private key for decryption. You can send me your public key. I can encrypt and send to you a message that only you can read, because only you have the private key. Data encrypted with the public key can only be decrypted with the private key. There is no way to derive one key from the other. Drawbacks of this method, however, are expensive computing processes, slower speed, and poor performance for bulk encryption.

Digital signatures
A digital signature holds a message digest (a key mathematically derived from the message data) encrypted with the sender’s private key. Anyone can decrypt the signature with the public key, though only the signer can encrypt it. And anyone can re-generate a new message digest and compare it to the one in the signature. If the two digests match, the message has not been tampered with. Thus a digital signature confirms that the authorized person sent precisely this message; no one else has modified the text or tampered with the signature. This way, digital signatures ensure the integrity of the message and provide non-repudiation.