FRCC Secure Data Transfer. Users Guide V1.0

FRCC Secure Data Transfer

Table of Contents

I.

Introduction ... 2

II.

Part 1 - Software Installation ... 3

III.

Part 2 - Creating Your PKI Certificate ... 7

IV.

Part 3 - Importing FRCC Public Key Certificate ... 10

V.

Part 4 - Validate & Certify FRCC Key Certificate ... 12

VI.

Part 5 - Evidence Upload File Naming Convention ... 16

VII.

Part 6 - Transferring the Evidence to FRCC ... 18

Introduction

FRCC entity secure transfer site uses high level of encryption using a Public Key Infrastructure (PKI) RSA-2048 public token provided by FRCC. The data in storage is encrypted using BitLocker 256 Advance Encryption Standard (AES) encryption.

FRCC transfer site (https:securetransfer.frcc.com) once authenticated, offers entities’ two distinct folders labeled SecureWorking (SW) and SecureVault (SV) to deposit their

evidence. Evidence deposited in SW (90%) is used for all sensitive evidence and SV is used by those entities that considers some of their CIP data most sensitive (usually 10% is firewall configurations and un-redacted network diagrams). Because both SW and SV servers are both identical using a high level of encryption (e.g. PKI and AES), entities are encouraged to deposit everything in the SW folder.

Once an entity deposits the encrypted evidence package, the system transfers the package to the set of back-end servers (i.e. SW and SV). The package is automatically hashed by the entity encryption process for non-repudiation. The main difference with SV is that

evidence can only be viewed internally by FRCC via Microsoft’s Remote Desktop Protocol (RDP) using the products base 128bit encryption only from FRCC Compliance trusted local area network (no external remote access or local copies are allowed to float per policy).

The process in this document, is meant to guide an entity in installing the Microsoft Windows software PGP4Win, then show the process for creating your very own public and private key. The next step is to import the public key from FRCC that will be used for encrypting the evidence package and upload to the secure transfer site (https://securetransfer.frcc.com). The entity at this point must validate and certify the FRCC key before it is used to transfer the evidence package.

The procedure ends by stepping the entity to learn the naming conventions used to upload. The file names allow for automation of FRCC data/evidence handling. If the file name does not follow the proper naming convention, FRCC will not accept the evidence and must be resubmitted. A tool has been developed by FRCC to facilitate the entities with how the naming convention should be applied. In addition, this tool can be used to track one or more sub-sequent uploads. The final step in the process is for the entity to logon to the secure transfer site and select the appropriate transfer folder.

Any questions about this process, please Email [email protected].

Remember that your one-stop-shop website for all secure file transfers information is located at FRCC at https://www.frcc.com/Compliance/SecureTransferInfo/SitePages/Home.aspx .

Part 1 - Software Installation

About: Gpg4win enables users to securely transport files with the help of encryption and

digital signatures. Encryption protects the contents against an unwanted party reading it

.

1. First ensure that programs (open windows) executing on your computer are

shutdown

2.

Download the Software

: Download the latest version of GPG4WIN via this link

http://www.gpg4win.org/

3.

Select Language

: The installation assistant will start and ask for the language to

be used. Select “English” and click [OK] button

4.

Welcome

: A welcome dialog box will appear next “Welcome to the installation of

Gpg4win” click on [Next>] button

5.

License Agreement

: The next dialog displays the licensing agreement. Read

the license if you wish, otherwise click on [Next >] button

6.

Select Components to Install

: The next dialog contains the selection or

components you wish to install. A default selection is already made for you.

However, the only components necessary to sign and encrypt the data are

GnuPG

,

Kleopatra

,

GpgEX

and

Ggp4win Compendium

, as illustrated below,

then click on [Next >] button

GnuPG: Is the GNU Privacy Guard main program

Kleopatra: Is theKey manager for OpenPGP and x.509 certificates

GpgEX: Is the GnuPG shell extension

7.

Installation Location

: The next step will suggest a target folder for the

installation such as

C:\Program Files\GNU\GnuPG

. Accept the suggestion and

click [Next >] button

8.

Install Options

: The next step will display “Installation Options” or links to the

“

Start Menu

”, “

Desktop

” and “

Quick Launch Bar

”. Select your choices or

accept the default “

Start Menu

” and click [Next >] button

9.

Choose Start Menu Folder

: Select the Start menu folder in which you would like

to create the program’s shortcuts. Accept the default name and click [Next>]

button

10.

Installation Process

: During the installation process you will see a progress bar

and information on which file is currently being installed

You can press [

Show

details

] button at any time to show the installation log

process

Once the installation has completed, click the [Finish] button. In some cases,

you may also see a restart Windows (

the one illustrated on right

). If you see this

window click the [Finish] button

or

This will be a good time to read the README file which contains up-to-date information on the Gpg4win version that has just been installed. After these steps, you are ready to work with the program. Proceed to Part 2, “Creating Your PKI Certificate”.

Part 2 - Creating Your PKI Certificate

1.

Creating the Key Pair

: Create your key pair certificate in Kleopatra by selecting

“File” then “New Certificate” from the menu

2.

Choose Certificate Format

: Select “Create a personal OpenPGP key pair and

3.

Enter Details

: Enter personal details such as “Name”, “Email” and select [Next]

button and then select [Create Key] button

When entering your passphrase (or password) ensure that it is strong, such as 14 character, use caps, lower case, numbers and special characters. Most important, safeguard and protect the key. If your key is ever compromised, you should generate a new one by following the steps in Part 2.

4.

Key Pair Successfully Created:

When the key pair creation is successful, you

will see the following dialog box, select [Finish] button

Now that you have successfully created your certificate. We recommend you consider performing a backup of your public/private keys.

Part 3 - Importing FRCC Public Key Certificate

1.

You must import FRCC public key used to encrypt your evidence by

following this link:

https://www.frcc.com/Compliance/PKIR/Sitepages/Home.aspx

Access the Key Repository and download the key, you will find two files in the folder. The key is labeled “FRCC Compliance Public Live”. Save the file in a location you can import on the next step using Kleopatra.

2.

To import the FRCC public key you just downloaded, open Kleopatra

application, select File, then select Import Certificates:

Import the public key:

Part 4 - Validate & Certify FRCC Key Certificate

1. To validate, trust and certify FRCC public Key access Kleopatra and click on the

“other certificate” tab:

3. Change owner trust by selecting “I believe checks are very accurate” and press

[OK] button

5.

Check the box next to “Compliance Manager” and select “I have verified the

fingerprint. Then select [Next] button

6.

Use the default settings and select “Certify only for myself” and press the [Certify]

button

7. You will be prompted for your passphrase or password

Certification will show successful. Click [Finish] button

We recommend you consider performing a backup of your public/private keys. Remember to limit access to the private key by saving it in a secure location.

Part 5 - Evidence Upload File Naming Convention

1. File names allow for automation of FRCC data/evidence handling. If the file name

does not follow the proper naming convention, the upload software will not accept

the evidence and therefore it must be resubmitted. See the illustration below for

the format of the File Naming Convention:

The naming convention starts with the 3-5 character acronym which identifies the Entity, followed by the evidence type (see list below), then by the date the activity is officially taking place (for example: for an audit, enter the audit onsite start date) and ends with the package number, (such as .001 for a first time evidence upload).

Evidence Types:

CIP - Evidence for a CIP Audit or Spot-check. ONP - Evidence for an O&P Audit or Spot-check.

ENF - Evidence needed for enforcement related evidence. TFE - Evidence needed for any TFE being evaluated. RAM - Evidence needed for RAM related evidence activity.

DTR - Evidence needed for a data request related activity such as self-certifications, self-reports, or ad-hoc requests.

Date of Activity for Evidence Types:

For an onsite audit/spot-check “ONP” or “CIP”, use the start date of the onsite audit/spot-check. The same date is to be used for all of the data requests pertaining to the audit/spot-check. For an Enforcement “ENF” related activity, the date will be determined by the FRCC Enforcement point of contact and it is to be used for the duration of the enforcement related activity.

For “TFE” uploads, use the date the TFE was submitted via the CTS portal or contact your Audit Team Lead (ATL).

For “RAM” uploads, use the date established by the FRCC RAM point of contact and it is to be used for the duration of the RAM related activity.

For DTR uploads, use the date established by FRCC Staff point of contact and it is to be used for the duration of the data request activity.

2. A file name calculator tool has been created to facilitate entities with the naming

convention and a checklist to be used during the upload of evidence activity.

Typically during an audit (CIP or OP) multiple files are uploaded. The entity will

be able to use this tool to follow and track each upload. Below is an example of

the tool :

Part 6 - Transferring the Evidence to FRCC

1. Go to the FRCC secure transfer site

https://securetransfer.frcc.com

Or via FRCC WEB Portal

https://www.frcc.com/Compliance/SecureTransferInfo/SitePages/Home.aspx

2. Logon using the FRCC website user ID and Password granted to you. Otherwise

3.

After the logon process, you will receive a “Welcome Message:

You may receive a “Java” security warning message, select the box that says “Do

not show this again for this app and web site” and select [Allow] button

4. After logon process, you will see 3 folders “XYZ File Area” where XYZ is the acronym

of your entity identifier and “SecureVault” and “SecureWorking”:

The folders in the “File Area” is for FRCC to share or provide information or documents to entities. Files in this area are deleted after 10 days. DO NOT UPLOAD FILES TO THIS FOLDER!!!

For evidence upload, FRCC offers entities two distinct folders labeled SecureWorking (SW) and SecureVault (SV) to deposit their evidence.

Evidence deposited in SW is used for all sensitive evidence and SV is used by those entities that consider some of their CIP data most sensitive (usually 10% is firewall configurations and un-redacted network diagrams).

Revision History

Version Date Editor Description

V1.0 5/2/2016 C. Valiente Creation of users guide.