FRCC Secure Transfer & Storage
Infrastructure
Training Objects
• Understand the changes in regards to the data transfer process using PKI
• Installation
• Key management
• Preparation of Evidence • Creating the encrypted file
• Transfer of file(s) to FRCC using new website
Installation
• Software Installation:
• Installing GNU Privacy Guard for
Windows “Gpg4Win”
• The program needs to be downloaded from Gpg4Win Web site http://www.gpg4win.org/
4
• Download the Current Release (top of the listing)
Double Click the downloaded file.
5
• Click OK,
6
7
• Change the default selection to the following (Next Slide).
8
• The only ones checked are Kleopatra, GpgEX, Gpg4Win Compendium. Click Next,
9
10
11
12
13
Once the Gpg4Win has
completed the installation process, you will find the following icons on your
desktop, if you selected this option during installation. If not just use the windows menu.
14 Key
• Gpg4win is an installer for Windows and contains several Free Software components:
• GnuPG The core; this is the actual encryption tool.
• Kleopatra A certificate manager for OpenPGP and X.509 (S/MIME) and common crypto dialogs. “This is your Key Ring/Manager”
• GPA An alternative certificate manager for OpenPGP and X.509 (S/MIME).
• GpgOL A plugin for Microsoft Outlook 2003/2007/2010 (email encryption). *“Rudimentary support Outlook 2010/2013”
• GpgEX A plugin for Microsoft Explorer (file encryption).
• Claws Mail A complete email application with crypto support.
• Gpg4win Compendium The documentation (for beginner and advanced users), available in English and German.
16
Key management
• Creation of your Public/Private key pair • Accessing the FRCC Key Repository –
Public Key Storage
• Import FRCC Public Key
• Owner Trust & Certify Certificate on import
Key Management
• Creation of your key pair – Kleopatra
18
Key Management
• Select “Create a personal OpenPGP key pair”
Key Management
20
• Enter in all required information, click next when ready
Key Management
• Review information, if correct click “create key”
Key Management
• Having clicked the “Create Key” you will need to enter in a password/passphrase
• Needs to be as strong as possible • Needs to be safe guarded
Key Management
23
Key pair has been created
Highly suggested to backup you public/private keys
Key Management
• Next step is to import FRCC public key, you can access our public key from here • https://www.frcc.com/Compliance/FRCCC
ompliance/FRCC Public Key Storage
Key Management
25
Access the folder, download the key to your system for the import process, site will
active in June 2015
Key Management
• Import a public key
Key Management
• Find and import public key
Key Management
• Once import has completed, you will see confirmation that 1 key has been imported
Key Management
• Once a public key has been imported into your key manager, you must validate trust and certify the key.
Key Management
• Return to your key management program -Kleopatra, right click the key that has been imported. The menu will provided 2
selections (both are required) • Change Owner Trust
• Certify Certificate
Key Management
• Menu selections
31
Step #1
Key Management
• Change Owner Trust
Key Management
• Certify Certificate
33
Select the highlighted items to certify the certificate (key), click next when ready
Key Management
34
Key Management
35
• You will be prompted for your password / passphrase, enter it and continue
Key Management
• Suggestions
• Backup your key pair to a very secure location
• Limit access to the private part of the key pair
• password/passphrase (this can be changed as needed by you)
37
Preparation of Evidence
• Some key points:
• Understanding and the importance of sensitivity levels of data being sent
• New file naming convention of encrypted file • Always include FRCC public key in all
encrypted files sent
Preparation of Evidence Packaging
• Identify the sensitivity level of the data beingtransferred to FRCC
• Most Sensitive • Sensitive
• General Transfer - includes uploading and downloading
Secure Transfer
Most Sensitive evidence/information such as
• Firewall Rules (redacted)
• Network topologies including IP’s or other
documentation with extensive network address information
• Cyber vulnerability assessment results or reports containing specific vulnerabilities
• Physical Security Perimeter drawings
• Read only access, data will not be removed from the vault
Secure Transfer
• Sensitive evidence/information such as
• All other sensitive/confidential
evidence/information submitted by registered entity • Includes both O&P and CIP information
• Can be transferred and used on encrypted laptops etc.
• Will be removed/deleted from laptops etc. after use
Preparation of Evidence Packaging
• Use proper naming conventions of encrypted file prior to transfer
42
XXXXX.ONP.YYYY-MM-DD.001.gpg
File extension is added during creation
Package number of file (001 to 999)
Evidence Type – (CIP, ENF, ONP, TFE, RAM)
The first 5 characters of the file name are for the “Entity
Acronym”, if an acronym is only 3 characters, please add an underscore _ as the 4th and/or 5th character
Evidence, Audit, or Request Date
• Proper naming allows for automation of FRCC data/evidence handling
Examples for file names
• With 3 character short name
• DEF__.ONP.2015-03-12.001.gpg • With a 4 character short name
• FMPA_.ENF.2015-04-20.001.gpg • With a 5 character short name
• COVPA.RAM.2015-06-17.001.gpg
Secure Evidence Packaging
• Step #1
• Identify the evidence data to be sent,
Create folder(s) based on sensitivity, place requested data in each folder as needed.
** Please note the individual file name(s) cannot exceed 99 characters in total, this includes dots, spaces, dashes, etc. The compression process used Gpg4Win will omit the file and the program doesn’t provide any warning when doing this.
Secure Evidence Packaging
• Example:
Secure Evidence Packaging
• Step #2 - Check Sum/ Hash File
• Create a hash/check sum of your evidence and perform a virus check on all files
• Select evidence files and perform a virus check using
your local anti-virus scan software. Include a copy of the anti-virus scan report in a TEXT file “antivirus-check.txt” as part of the evidence package
• Create a hash listing of all your evidence using SHA1 hashing. With the installation of Gpg4Win a set of tools are installed along with the software. One of the features is the ability is to produce a check sum file or hash of all files within a folder
Secure Evidence Packaging
Step #3
47
• Using the Gpg4Win checksum tool
• Select or highlight the evidence folder that contains all files to be encrypted, right click to access windows content menu. Select the menu option “More GpgEX options”, then select “Create checksums”.
Secure Evidence Packaging
• Once completed it will display where the check sum file has been placed.
48
Secure Evidence Packaging
49
• Another tool that can produce the check
sum/hash file is a utility called “Multi-hasher” which can be used to perform the hashing
function. Execute “Multi-hasher” and select
SHA-1 as the hashing algorithm and select folder or files of your target files.
• A copy of MultiHasher software can be downloaded from website: http://www.abelhadigital.com/multihasher
Secure Evidence Packaging
Select the hash listing of the files and copy/paste it in a text file titled “hash.txt”.
Include the text file with the
evidence
information you are packaging.
50
Secure Evidence Packaging
• Step #4 – Encryption
• The next steps will guide in the use of Gpg4Win to encrypt all the files into one encrypted file for sending to the FRCC
Secure Evidence Packaging
52
• Right click the evidence folder
containing the files for encryption
• From the content menu select the “Sign & encrypt”
Secure Evidence Packaging
Default dialog menu, see next step for changes needed
53
Click on button next to the Archive name (OpenPGP): To enter correct file name
Secure Evidence Packaging
• Follow steps outlined below in the image, once ready click save
54
Secure Evidence Packaging
• Using the image as a guide, check the settings on this menu, Then click next 55 Step #4 Cont.Secure Evidence Packaging
• Select the required certificates to use
56
Secure Evidence Packaging
57
Secure Evidence Packaging
• Signing
58
Secure Evidence Packaging
• Once
encryption
completes you will see this
dialog on the screen. The process has completed successfully 59 Step #4 Cont.
Secure Evidence Packaging
• Checking our “save” folder we’ll find the newly created file (note file extension has been added)
60
61
Secure Transfer
• Access to the new transfer site
• https://securetransfer.frcc.com
• Signing in and Access
• Selecting the correct folder
• “New” – Entity Secure File Transfer
Secure Transfer
• To access the site use the following url • The direct link from the FRCC.COM
compliance sidebar/menu – OR
• https://securetransfer.frcc.com
• Sign-in using your FRCC.COM website account name and password.
Secure Transfer
Secure Transfer
• After signing in you’ll receive a welcome message 65“JAVA” Security Warning
When you sign in you may be prompted with a security
warning from java. Follow your company policy in regards to these type of warnings.
Default response is to check the “Do not show this again for this app and web site” and click the “allow” button.
Secure Transfer
Secure Transfer
• When accessing FRCC’s Transfer site • Select correct transfer folder
• Selection based on data sensitivity
– m
68
Secure Vault
“XYZ – File Area” – “Entity Secure File Transfer Folder”
Secure Working
“Secure Vault” – “For Most Sensitive Data”
“Secure Working” – “For Sensitive Data”
XYZ – FileArea
Secure Transfer
• Folder Labeled – “XYZ – File Area”
– NEW “Entity Secure File Transfer Folder”
– Primarily used for FRCC to provide info to the registered entity, but could be used to submit general correspondence to the FRCC
Secure Transfer
• Folder Labeled – “Secure Vault”
– Most Sensitive evidence/information such as
• Firewall Rules (redacted)
• Network topologies including IP’s or other
documentation with extensive network address information
• Cyber vulnerability assessment results or reports containing specific vulnerabilities
• Physical Security Perimeter drawings
– Read only access, data will not be removed from the vault
Secure Transfer
• Folder Labeled – “Secure Working” – Sensitive evidence/information such as
• All other sensitive/confidential
evidence/information submitted by registered entity • Includes both O&P and CIP information
• Can be transferred and used on encrypted laptops etc.
• Will be removed/deleted from laptops etc. after use
Secure Transfer
• Enabling Web Client Pro - Option
72
Its recommend for easier uploading and navigation to switch to the “Web Client Pro” version of the interface. To enable this feature, access the “Tools” drop down menu, then click on the “Enable Web Client Pro”.
You can receive additional “JAVA Security Warnings” when you enable this
Secure Transfer
• Additional Message(s) for Web Client Pro
Secure Transfer
• Web Pro Enabled
Secure Transfer
• Once you have web pro enabled
– Open (double click the folder for upload)
Secure Transfer
• Drag and Drop Files
76
Once file is dropped into window transfer starts
Secure Transfer
• Once the transfer has completed
successfully, a confirmation email is sent – FRCC will review received data and it has
been correctly received based established policy and procedures using the sensitivity definitions provided, any data received
incorrectly, a request will be made to resubmit by the entity
In Summary
• We have covered – Installation
– Creation and import Public/Private Keys – Packaging of Evidence
– Transfer of encrypted files to FRCC
79
Questions?
If you have additional questions please send them to the following email
address, with subject line of
PKI Training
