Westpac iLink SFTP Cryptographic Change

Important Change Information for Westpac iLink SFTP Customers

IMPORTANT: This notice applies only to Westpac iLink clients that connect to our SFTP server for connectivity.

 Security of your data and the data of your customers is critically important to us. Some ciphers that we currently support for SFTP transfers are now considered insecure. We will remove support for these soon so we can continue to protect your data. For some clients, this change will have no impact to you if you are already using more secure ciphers. However, for other clients you will need to make a change as listed in this notice to ensure uninterrupted services. We recommend that all clients test and confirm that their SFTP connection will continue to operate before the Production cutover date.

IMPORTANT: This notice applies only to Westpac iLink clients that connect to our SFTP server for connectivity.

 Security of your data and the data of your customers is critically important to us. Some ciphers that we currently support for SFTP transfers are now considered insecure. We will remove support for these soon so we can continue to protect your data. For some clients, this change will have no impact to you if you are already using more secure ciphers. However, for other clients you will need to make a change as listed in this notice to ensure uninterrupted services. We recommend that all clients test and confirm that their SFTP connection will continue to operate before the Production cutover date.

This change is impacting you since you are using an SFTP iLink solution linked to the following environments:

The following cryptographic settings will be disabled on our SFTP server:

  • All SHA1 hashing (used for known host key validation).

  • All CBC ciphers (used for tunnel encryption).

To continue connecting to the service, your SFTP client MUST:

  • Not rely exclusively on either of the following cryptography standards:

    • SHA1 hashing for key exchange, OR

    • CBC ciphers for encryption.

  • Offer encryption technologies compatible with our SFTP server solution currently in place in the Test/Support environment

If you do not take this step, your connectivity to our SFTP server will fail leading to a failure in file transfer that will require manual intervention by your IT and Finance staff.

When will this change take place?

The change is scheduled for the following dates:

We encourage you to perform UAT testing in the Test/Support environment as soon as possible to ensure your SFTP client is compatible with the cryptography options available in this environment.

What hashing and ciphers will we support after the cutover date?

PORT 22/tcp ssh2-enum-algos:

key_exchange_algorithms (10)
  curve25519-sha256
     curve25519-sha256@libssh.org
     ecdh-sha2-nistp256
     ecdh-sha2-nistp384
     ecdh-sha2-nistp521
diffie-hellman-gex-sha256
diffie-hellman-group14-sha256
diffie-hellman-group15-sha512
diffie-hellman-group16-sha512
   ext-info-s
server_host_key_algorithms (2)
     rsa-sha2-512
     rsa-sha2-256
encryption_algorithms (5)
     aes256-gcm@openssh.com
     aes128-gcm@openssh.com
     aes256-ctr
     aes192-ctr
     aes128-ctr
mac_algorithms (1)
     hmac-sha2-256
compression_algorithms (2)
     zlib
     none

In summary:

  • Key exchange algorithms: SHA2(SHA256), SHA512

  • Server host key algorithms: SHA2(SHA256), SHA512

  • Encryption algorithms: aes128-gcm, aes256-gcm, aes128-ctr, aes192-ctr, aes256-ctr

  • Mac algorithms: SHA2(SHA256)

What must I do?

  1. Read this detailed change advice, and escalate to your technical team for review.

  2. Identify all SFTP client instances that interact with the SFTP server and take action to prepare for this change in advance. Note that older SFTP client software may not support SHA2(256) for MACing (as an example). You will need to check with your provider. If you use:

    1. a JSch based client < 0.2.0 or

    2. OpenSSH client < 7.2 or

    3. Winscp < 5.20 or

    4. Maverick_Legacy < 1.7.17

    5. Paramiko < 2.9.2

    6. SSH-2.0-PuTTY_Release < 0.75

you will need to upgrade as these do not support SHA2. Other clients will need to be tested on a case by case basis.

  1. Ensure all SFTP client(s) do not exclusively rely on either of the following by consulting with SFTP client vendor documentation and/or technical support:

    1. All SHA1 hashing for Key Exchange

    2. All CBC Ciphers

  2. Are any keys changing? No keys are changing. Your SFTP client needs to support the above cryptography.

  3. Use the iLink SFTP (Qvalent) Test/Support Environment to perform UAT testing to confirm no compatibility issues between your SFTP client and our hardened service offering.

  4. Resolve any issues by upgrading any required SFTP clients to support the latest industry-grade cryptography standards and perform UAT testing against our Test/Support environment.

  5. Promote all changes to your Production environment before the Production change deadline.

  6. Understand and be prepared to instigate your iLink BCP solution in the event of any issues post-change. This includes how to manually transfer files from your finance applications into/from iLink in the event of an SFTP client connection failure.

How can I test my SFTP client is compatible with these changes?

I have a TEST SFTP account in the Qvalent support environment ssiw.support.qvalent.com

If you have a test SFTP account in the Qvalent support environment ssiw.support.qvalent.com try and connect to it using your SFTP client. If you can connect and view your SFTP directory this means your client supports the SHA2 and AES ciphers and is all good for the cut over.

If you fail to connect or receive an error similar to:

Couldn’t agree a host key algorithm (available rsa-sha2-512, rsa-sha2-256) then you need to upgrade your SFTP client to a newer version and repeat the test until your can successfully connect.

I do not have a TEST SFTP account in the Qvalent support environment ssiw.support.qvalent.com

Step 1

From the machine your SFTP client runs do a telnet test:

telnet ssiw.support.qvalent.com 22

if you see the message:

SSH-2.0-9.99 FlowSsh: Bitvise SSH Server (WinSSHD)

Then you IP address is registered in our TEST environment and you can proceed to STEP 2

If you fail to connect, please contact our help desk (details below) and request them to register your public IP address for the SFTP connectivity test in SUPPORT. Note that this must be your public address that Qvalent will see your SFTP client on the internet. It should not be a private address i.e. addresses starting with 10.0.x.x, 172.16.x.x or 192.168.x.x. Repeat this until you have success.

Step 2

From your client connect to:

server: ssiw.support.qvalent.com

user/pass: contact the Qvalent help desk (details at bottom)

If your client supports SHA2 for host key exchange and AES ciphers you will see a directory with the file success.txt in it. This means your client is fully compatible for the cut over date.

If you fail to connect or receive an error similar to:

Couldn’t agree a host key algorithm (available rsa-sha2-512, rsa-sha2-256) then you need to upgrade your SFTP client to a newer version and repeat the test until your can successfully connect.

Common Issues 

If the change preparation has not been successfully applied, an SFTP connection to the WIBS SFTP server will not be successful without manual administrative user intervention.
This may appear as any of the following errors depending on your SFTP client software/application

  • Login Failure

  • SSH/SFTP Handshake Failure

  • File Delivery Failure

If this error occurs you should perform the following

  1. Confirm you are using fully updated SFTP client software which supports the latest cryptographic standards

  2. Confirm that when using this software there are no connectivity issues between your UAT environment and our Test/Support environment

  3. Confirm all changes required have been promoted to your Production SFTP client environments. 

Frequently Asked Questions

What is SFTP?

SSH File Transfer Protocol (SFTP) is a secure file transfer protocol. Connections made using SFTP use SSH to provide secure transport for your files with Westpac.

Why is Westpac Changing Its SFTP Server Cryptography Standards?

The Payment Card Industry Security Standard Council has deemed that SHA1 and CBC cryptography standards are no longer secure for SFTP servers and hence Westpac must change our cryptography in line with these standards so we can continue to protect your data.

Do I need to send through a new Connectivity Change Request?

There is no requirement to send through a Connectivity Change Request in iLink for customers to take action on this change. This change should only affect the SFTP client software and not the network path.

Do I need to change my SSH or PGP keypairs for this change?

This change does not affect your SSH or PGP keypairs and there is no requirement for them to change as a part of this change.

Qvalent pushes files to our SFTP server. Do I need to change my SFTP server? 

This change does not affect the pushing of files to the customer SFTP server.
Customers should ensure their SFTP servers are up to date with all security patches and use industry best-practice cryptography.
This change does however affect your SFTP client software for any files that you send to the Qvalent SFTP server hosts mentioned in the change notification using your SFTP client.

How do I evaluate whether my SFTP client software contains cryptography which is compatible with the changes Westpac is making?

Westpac advises customers to perform a full UAT test against our Test/Support environment to confirm this change will not cause any issues for your integrations.

What if my SFTP connection breaks?

Customers will be required to use iLink as a BCP option for the delivery of their files between your financial systems and Westpac
This will be communicated by our helpdesk to customers who are having issues with their connectivity. Our helpdesk will be on hand to assist customers who have issues instigating iLink BCP as a priority.
Westpac will be unable to roll this change back.

Can I be granted an extension for this change?

No, extensions cannot be granted for this change.
As this change affects the cryptography offered to all customers via our SFTP server service, all customers must be prepared for this change prior to the Production cutover date.

Will there be a way to continue using the old cryptographic standards

No, the above-mentioned cryptographic functions will be disabled. There will be no way to reinstate these functions.

Yes, this change will apply to all SFTP customers that connect to the Westpac (Qvalent) SFTP servers. SHA1 and CBC ciphers are now considered insecure and support for them will be entirely removed for them on the Production cutover date.

Contact Us

Email ilink_support@qvalent.com or phone the Helpdesk team on 1300 726 370 between 7:00am and 7:00pm (AEST), Monday to Friday.

Disclaimer

These guidelines are general in nature and have been prepared without knowledge of the specific environment in which your systems operate. These guidelines are current at the time of writing, but may require update over time. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.