HMRC Secure Electronic Transfer (SET)

(1)

HMRC Secure Electronic

Transfer (SET)

Installation and key renewal overview

Version 3.0

HM Revenue

& Customs

(2)

Encryption keys are created in conjunction with the HMRC SET Customer Management Team and an HMRC approved Certificate Authority (CA). A combination of HMRC’s and the organisation’s keys are then used to encrypt/decrypt data returns for transfer across the secure HMRC SET website. Automated HMRC SET e-mail messages act as receipts of your organisation’s data transfer.

Help and assistance

The dedicated HMRC SET Customer Management Team can provide further documentation, help and assistance as required.

E-mail: [email protected] Telephone: +44 (0) 3000 597222

Welcome to HMRC SET

What is HMRC SET?

HMRC provide the Secure Electronic Transfer (SET) service hosted by the Government Gateway website and enables organisations to transact data with HMRC securely over the Internet by utilising a combination of encryption keys and digital certificates.

Contact the HMRC SET Customer Management Team to discuss the types of data that can be transferred using HMRC SET. Please note it is forbidden to transfer executable (.exe) files via the HMRC SET service.

(4)

What will you need to use

HMRC SET?

Pre-requisites

• PC with Internet access for the installation of software and an active e-mail account to receive electronic confirmation of data transfers, certificates and keys.

• SRN (SET Reference Number) issued by HMRC SET Customer Management Team.

• Government standard certificate generation and encryption software.

• You will need to liaise with an HMRC approved Certificate Authority (the HMRC SET Customer Management Team maintain a current list of acceptable organisations).

• Certificate Authorities must

• Be able to read and include the appropriate identity information (organisation name, e-mail address etc) from Certificate Signing Request (CSR) files.

• Be able to validate organisation’s identities to Extended Validation (EV) level.

• Be HMG Level 2 compliant or be members of an HMG Level 2 compliant regulatory Trust Scheme, such as T-Scheme or Webtrust.

• Maintain online Certificate Revocation Lists (CRL) of revoked certificates. • Provide Root and/or Intermediary certificate(s) to prove the authenticity of their signature on organisation’s certificates.

• Signed certificates containing encryption keys which must be • Of type RSA x509 v3 using SHA1 signature algorithms. • A size of 2048 bits (or 4096 bits for a TLS).

• RFC4880 compliant (for example PGP™ encryption standard).

• Certificate validity periods are at your organisation’s discretion.

• Approval from the HMRC SET Customer Management Team advising you are able to transfer files via HMRC SET.

(5)

HMRC SET high level diagram

Your organisation

Encryption software (encrypt/decrypt your files)

Send/receive encrypted files via Government Gateway HMRC encrypt/decrypt your files Exchanging files Your files HMRC Software download

(Certificate software and encryption software) Step 1

Create certificates and keys for signing, submit to CA and submit TLS.csr to HMRC SET Customer Management

Team Step 2

Receive signed TLS certificate from HMRC SET Customer Management Team, create and install signed

TLS and Root certificates Step 3

Register on Government Gateway and enrol on HMRC SET service

Step 4

Receive certificates from CA, create and import encryption keys. Send certificates received from CA to HMRC SET Customer Management Team

Step 5

Await approval to test, test encryption keys and HMRC SET connection

Step 6

Complete File Transfer Schedule and await approval to submit live files

(6)

Joining HMRC SET

HMRC SET Customer Organisation Certificate Management Team (Customer) Authority

Sign PUBLIC encryption and signing key – “To” and “From” Certificate Signing Requests (CSRs)

Exchange live files Notify customer file

transfer approved HMRC SET Customer Management Team arrange to approve file transfers

Step 6

Complete File Transfer Schedule and submit to HMRC SET Customer Management Team.

Step 5

Await approval to test encryption keys and HMRC SET Connection and then test. Complete live proving

Step 4

Create and import encryption and signing keys. Send signed certificates received from CA to HMRC SET Customer Management Team Step 3 Register on the GGW and enrol on HMRC SET

Step 2 Install TLS and Government Production Root certificates Step 1 Download, install certificate generation and encryption software. Generate CSRs and send for signing

Confirm test DMRs in place

Install organisation PUBLIC key pair on HMRC SET Servers and raise live proving Data Movement Requests (test DMRs)

Sign and return TLS Certificate Signing Request (CSR)

The six steps to joining HMRC SET

Step 1 Receive HMRC SET Installation Pack, download and install certificate generation and encryption software. Generate all Certificate Signing Requests (CSRs) and send them to appropriate recipient for signing.

Step 2 Receive, rename and install Government Gateway signed TLS certificate and Gateway Production Root certificate.

Step 3 Register on the Government Gateway website and enrol on the HMRC SET service.

Step 4 Create and import the Private encryption and signing key pair. Send signed certificates received from CA to the HMRC SET Customer Management Team. Import HMRC Public “To” and “From” keys.

Step 5 Test encryption keys and HMRC SET connection by exchanging a test file with HMRC via the Government Gateway.

Step 6 Complete a File Transfer Schedule (located in your HMRC SET Installation Pack) of intended returns for HMRC to pre-approve. You are now ready to exchange live files.

(7)

Overview – Generating TLS, to and

from Certificate Signing Requests

Use Government standard certificate creation software to raise all 4096 bit and 2048 bit Certificate Signing Requests (CSRs). When entering the commands to create each CSR you will be requested to complete the following information:

Certificate Signing Request (CSR) Identity Parameters

Password (for the Private key) <free text> (record securely as this will be required when using the keys)

Country name <free text>

State or Province <free text>

Locality <free text>

Organisation <free text>

Organisational Unit (Department) <free text>

Common name <Organisation><SRN>LIVE<DDMMYY>

E-mail address <free text>

Challenge password leave blank (press Enter)

An optional company name leave blank (press Enter)

Certificate security principles

You should follow your local security policies to retain your certificate passwords and components (CSR, Private key, Root certificates). These are required at different stages when making, using and rebuilding your keys. Private keys must be kept secret. HMRC requires compromised keys to be replaced.

If you require to export your Private TLS from your Internet browser you should import it as “exportable”.

In order to prevent unknown signer warnings in an encryption tool’s verification history, create a local key and use it to sign all the HMRC SET keys as trusted with it.

Opening or overwriting a certificate can corrupt it beyond use. Move certificates using copy and paste

Security essentials

Manage your password security – these are required for daily use and User ID/ Account resets (and are unrecoverable if lost).

Never open or overwrite a Private certificate – this will corrupt it and a replacement will be required.

Keep your Private keys secure – these will be required for certificate rebuilds and compromised keys require replacement.

(8)

Step 1 – Generate Certificate

Signing Requests and submit

for signing

Generate a TLS Certificate Signing Request

(required to enable access to the HMRC SET service via the Government Gateway)

Use Government standard certificate creation software to raise a 4096 bit Certificate Signing Request (CSR) file that conforms to HMRC SET’s TLS key naming standards:

TLS Private Key Format Example

<Organisation>TLSPrivateKey.pem RiverLakeCoTLSPrivateKey.pem

TLS CSR Format Example

<Organisation><SRN>LIVE<DDMMYY>.csr RiverLakeCo111222333444LIVE150612.csr

SRN is your 12 Digit HMRC SET Reference Number

Generate “To” and “From” Certificate Signing Requests

(“To” and “From” keys required to encrypt/decrypt data)

Use Government standard certificate creation software to raise two 2048 bit Certificate Signing Request (CSR) files that conform to HMRC SET’s key naming standards:

Suggested “To” and “From” Private Example Key Format

<Organisation>ToPrivateKey.pem RiverLakeCoToPrivateKey.pem

Encryption Signing and CSR Format Example

<SRN>.to.<OrganisationURL>.pem 111222333444.to.RiverLakeCo.co.uk.pem

Example

<SRN>.from.<OrganisationURL>.pem 111222333444.from.RiverLakeCo.co.uk.pem

Send the following Public CSR and pem files for signing

TLS CSR (e.g. Organisation111222333444LIVE150612.csr) E-mail this to

[email protected]

“To” key CSR (e.g. 111222333444.to.RiverLakeCo.co.uk.pem) Send this to your HMRC approved Certificate

Authority.

“From” key CSR (e.g. 111222333444.from.RiverlakeCo.co.uk.pem) Send this to your HMRC approved Certificate

Authority.

Keep the following Private keys SECRET AND SECURE

TLS Private key (e.g. OrganisationTLSPrivateKey.pem) Encryption Private key (e.g. OrganisationTOPrivateKey.pem) Signing Private key (e.g. OrganisationFROMPrivateKey.pem)

(9)

Step 2 – Install TLS certificate and

install Government Gateway Root

certificate

Generate the TLS Certificate

(on receipt of the signed TLS CSR and Government Gateway’s Root certificate, both issued by the HMRC SET Customer Management Team).

• Rename the Root certificate from “GatewayProductionRootCertificate.txt” to “GatewayProductionRootCertificate.cer”.

• Use Government standard certificate creation software to reformat and rename the signed CSR from “.txt” to “.pem”.

• Use Government standard certificate creation software to merge the reformatted TLS CSR (.pem), the renamed

GatewayProductionRootCertificate (.cer) and your TLS Private key (.pem) into a full “.p12” format TLS certificate.

TLS Certificate Format Example

<Organisation>TLSCertificate.p12 RiverLakeCoTLSCertificate.p12

Install the TLS and Gateway Production Root Certificates

Install the TLS certificate (.p12) and Gateway Root certificate (.cer) into each Internet browser and profile. This needs to be done for each user who intends to use the HMRC SET service.

Step 3 – Register and enrol on the

HMRC SET service

Register on the Government Gateway website (GGW)

To register with the Government Gateway and enrol on the HMRC SET service, open your Internet browser and navigate to www.gateway.gov.uk. Under “Organisations”, click on the “Register as an Organisation” link. As an organisation you will be presented with two options. Select “Register” (without digital certificate) and enter the following details:

First Name(s) <Organisation>

Surname UK or <other Country Designation>

E-mail <E-mail Address> (this can be an individual or group mail box.) NB: Please note all administrative messages from the Government Gateway

(e.g. password resets) will be sent to this e-mail address which will need to be actively monitored.

Enter a password which will be used each time a user logs onto the Government Gateway. Your password must:

• contain 8-12 alphanumeric characters

• not contain the word ‘password’

Leave the “Additional Information” box blank and click “Submit”.

Your unique 12 digit Government Gateway User ID will be displayed on the next screen. This will be needed together with your password to log onto the Government Gateway.

Keep these details secure and inform all intended users of the service so that in the event of absence, another user may log on to the Gateway.

(10)

Enrol on HMRC SET service

Contact the HMRC SET Customer Management Team (contact details on page 1) to obtain your HMRC SET service Activation Code.

Enter your HMRC SET Reference Number and Activation Code, followed by agreeing to the terms and conditions and clicking “Next”, to activate your Government Gateway account.

Configure HMRC SET Preferences

Your HMRC SET account only becomes active when you enter your e-mail address and message preferences on the HMRC SET Preferences web page. Once you are logged into the HMRC SET service you may update your e-mail address from the navigation bar on the left hand side of the web page, under “Preferences”.

NB: Please note all Secure Data Transfer notifications from the Government Gateway (e.g. File Stored, Deleted, Processed) will be sent to this e-mail address which will need to be actively monitored.

Step 4 – Create and import the

private and public (encryption

and signing) key pairs

Create your Private encryption key pair

(on receipt of the signed CSRs and Root certificate(s) from the HMRC approved Certificate Authority)

• Create the encryption “To” key by merging the signed “To” CSR, Root certificate(s) and Private “To” key (using Government standard certificate software).

• Create the signing “From” key by merging the signed “From” CSR, Root certificate(s) and Private “From” key (using Government standard certificate software).

Encryption Key Format Example

<SRN>.To.CompanyURL.p12 111222333444.To.RiverLakeCo.co.uk.p12

Example

<SRN>.From.CompanyURL.p12 111222333444.From.RiverLakeCo.co.uk.p12

Import the merged encryption key pair

Import your merged encryption “To” and signing “From” keys created above into Government standard encryption software. These are your Private encryption keys.

DO NOT E-MAIL YOUR PRIVATE KEYS AS THIS WILL INVALIDATE THEM.

Send your signed public certificates to HMRC SET Customer Management Team

Email the signed public certificates that were received from the CA to [email protected]

(11)

Rename the HMRC Public key pair

Rename the following keys received from the HMRC SET Customer Management Team:

100100100100.to.hmrc.gov.uk.txt “To” Public key (rename the key from

“.txt” format to “.asc” format).

100100100100.from.hmrc.gov.uk.txt “From” Public key (rename the key from “.txt” format to “.asc” format).

Import the HMRC Public key pair

Following renaming, import the following keys into your Government standard encryption software:

100100100100.to.hmrc.gov.uk.asc 100100100100.from.hmrc.gov.uk.asc

Step 5 – Test the HMRC SET

connection and encryption keys

Encrypt and Send the test file provided in the HMRC SET information pack (sending an outbound test file)

For details on how to encrypt a test file please refer to the document “How to use HMRC SET using PGP™ Desktop” – pages 3-5, “Encrypt a file to send to HMRC”.

Once the test file has been encrypted please refer to the document “How to use HMRC SET using PGP™ Desktop” – pages 6-8, “Upload files to the

Government Gateway”.

When the test file has been sent you will receive 3 e-mail notifications, for details on these please refer to the document “How to use HMRC SET using PGP™ Desktop”, page 9, “E-mail notifications (File uploaded)”.

Receive and Decrypt the test file from HMRC SET (receiving an inbound test file)

When a test file has been sent you will receive an e-mail notification advising a file is awaiting retrieval. For details on this please refer to the document “How To Use HMRC SET Using PGP™ Desktop”, pages 9-13,

“Download files from the Government Gateway”.

For details on how to decrypt a test file please refer the document “How to use HMRC SET using PGP™ Desktop” – pages 13-17, “Decrypt downloaded files”.

Notify HMRC SET Customer Management Team of successful download

Once the test file has been decrypted please refer the document “How to use HMRC SET using PGP™ Desktop” – pages 17-18 “Confirm decrypted files”.

(12)

HMRC SET key renewal

Encryption key renewal process overview

Approximately one month before your current encryption keys are due to expire, you should invoke the renewal process detailed below.

The renewal process

For details on how to renew your keys please follow Step 1, page 6 “Generate Certificate Signing Requests and submit for signing”.

When you receive your Signed Certificate Signing Request files from your HMRC approved CA please refer to Step 4, pages 8-9 “Create and import the

private and public (encryption and signing) key pairs”.

Once renewed, installed, and the signed public certificates have been sent to the HMRC SET Customer Management Team liaise with the HMRC SET

Customer Management Team to arrange testing of your new keys as per Step 5, page 9 “Test the HMRC SET connection and encryption keys”.

Important notes

• HMRC require certificates to meet the following criteria; • Of type RSA x509 v3 using SHA1 signature algorithms. • A size of 2048 bits (or 4096 bits for a TLS).

• RFC4880 compliant (for example PGP™ Encryption Standard). • Certificate validity periods are at your organisation’s discretion.

• The certificates must be signed (authenticated) by an HMRC approved CA (the HMRC SET Customer Management Team can advise of acceptable CAs).

• Retain certificate and export passwords for future use, as they are unrecoverable if lost.

• Never open or overwrite a certificate as this can corrupt it. Copy and paste such files, or right click on them and save.

• Keep Private keys secret and secure (compromised keys have to be replaced).

Step 6 – Complete and return file

transfer schedule

When test files have been successfully exchanged you will need to complete and submit a File Transfer Schedule provided by the HMRC SET Customer Management Team. This reflects the files you wish to exchange via HMRC SET. The File Transfer Schedule includes an examples tab which has been provided to assist completion of the document.

When this schedule has been completed please submit it to the HMRC SET Customer Management Team via e-mail. Please await confirmation that HMRC have approved your completed File Transfer Schedule before submitting any live files.

Start submitting and receiving live files

Once approval has been confirmed by the HMRC SET Customer Management Team your HMRC SET installation is complete and you may start exchanging files via the Government Gateway.

(13)

Glossary

Term or abbreviation Description

Certificate (digital security certificate) Small electronic file of mathematical ciphers (HMRC SET uses these for encryption, signing and identity authentication)

Decryption The action of converting encrypted data back into its original form

Encryption The action of transforming data into an unreadable state (requiring the correct key to decrypt it)

Encryption key “To” keys in HMRC SET terminology use a Public half to encrypt data and a corresponding Private half to decrypt data Encryption software HMRC SET uses applications capable of applying Public and Private keys to files in order to encrypt and decrypt them File Transfer Schedule A spread sheet HMRC SET Users complete to obtain HMRC’s pre-approval for the data transfers (returns)

From key HMRC SET terminology for a signing key that proves the identity of an encrypted file’s sender Government Gateway (GGW) The generic Government website (www.gateway.gov.uk) that hosts the HMRC SET service

HMRC Her Majesty’s Revenue & Customs

HMRC SET HMRC’s Secure Electronic Transfer (SET) service – enables users of HMRC SET to transfer encrypted files between their organisation and HMRC

HMRC SET Customer Management Team Dedicated team who provide help and assistance to HMRC SET service users ([email protected])

HMRC SET Preferences User configured parameters (e-mail address) required before HMRC SET can route a customer’s file transfers HMRC SET Reference Number (SRN) Unique 12 digit identifying number issued to HMRC SET Customers by the HMRC SET Customer Management Team HMRC SET website Web pages hosted on the GGW that enable HMRC SET customers to send and receive files securely

Internet browser Software application used to access web pages on the Internet (such as Microsoft Internet Explorer)

Key Digital security certificates, often referred to as keys

P12, PEM, ASC, PGPTM_{and TXT} _{File extensions associated with digital security certificates. Many files are renamed “.txt” to allow them to be e-mailed}

Passphrase Free text Passphrase /Password created by your organisation’s IT administrator

PGPTM _{A cryptography tool, capable of encryption and decryption; to protect data against unauthorised access}

Public Private key pair One way encryption in which data encrypted by a Public key can only be decrypted by the corresponding Private key Signing key “From” keys in HMRC SET terminology use a Private half to sign data and are verified with the corresponding Public half TLS (Transport Layer Security) A certificate protocol used to create secure data tunnels over insecure networks such as the Internet

To key HMRC SET terminology for an encryption key used to encrypt and decrypt data

HMRC Secure Electronic Transfer (SET)