Further Information Regarding Westpac WIBS (Qvalent) Cryptography Change - May 2019

Owned by Qvalent Quickstream
Last updated: Mar 27, 2019
4 min read


Change Preparation

Preparing WinSCP Client

Westpac urges customers to update to the latest version of WinSCP.
Customers however should consult the vendor documentation at https://winscp.net/eng/docs/start and perform a full UAT of the updated WinSCP version against the Westpac Test/Support SFTP server environment to ensure no issues with your integration with Westpac.
Note this information is general advice and may be different for your particular deployment of WinSCP client

Preparing OpenSSH SFTP Client

Westpac urges customers to perform system/software updates such that a fully patched and actively supported version of the OpenSSH SFTP client is being used by your server.

  • For customers who have installed OpenSSH from their Linux/Unix distribution vendor, please consult with your chosen Linux/Unix distribution vendor's documentation for OpenSSH.
  • For customers who have installed OpenSSH from the project website, please consult with https://www.openssh.com/releasenotes.html

Customers should perform a full UAT of the updated OpenSSH SFTP client version against the Westpac Test/Support SFTP server environment to ensure no issues with your integration with Westpac.
Note this information is general advice and may be different for your particular deployment of OpenSSH SFTP client.
 

Other SFTP Client Software Pre-Change Preparation Steps

If other SFTP client software is used, please consult your vendor supplier documentation on how to update the cryptographic capabilities of your SFTP client software to the latest cryptographic standards
Westpac is unable to provide support for third-party software (ie. software not written by Westpac)
 

Common Issues 

If the change preparation has not been successfully applied, a SFTP connection to the WIBS SFTP server will not be successful without manual administrative user intervention.
This may appear as any of the following errors depending on your SFTP client software/application

  • Login Failure
  • SSH/SFTP Handshake Failure
  • File Delivery Failure

If this error occurs you should perform the following

  1. Confirm you are using fully updated SFTP client software which supports the latest cryptographic standards
  2. Confirm that when using this software that there is no connectivity issues between your UAT environment and our Test/Support environment
  3. Confirm all changes required have been promoted to your Production SFTP client environments. 

Frequently Asked Questions

Do I need to send through a new Connectivity Change Request?

There is no requirement to send through a Connectivity Change Request in iLink for customers to take action on this change. This change should only affect the SFTP client software and not the network path.

Do I need to change my SSH or PGP keypairs for this change?

This change does not affect your SSH or PGP keypairs and there is no requirement for them to change as a part of this change.

Qvalent pushes files to our SFTP server. Do I need to change my SFTP server? 

This change does not affect the pushing of files to customer SFTP server.
Customers should ensure their SFTP servers are up to date with all security patches and using industry best practice cryptography.
This change does however affect your SFTP client software for affect any files that you send to the Qvalent SFTP server hosts mentioned in the change notification using your SFTP client.

I use SFTP Client Software software which is not mentioned in the SFTP Installation Guide. What do I do to prepare for this change?

Westpac is unable to provide specific guidance for third-party client software not mentioned in our installation guide.
Please consult your SFTP client vendor documentation for more information

How do I evaluate whether my SFTP client software contains cryptography which is compatible with the changes Westpac is making?

Westpac advises customers to perform a full UAT test against our Test/Support environment to confirm this change will not cause any issues for your integrations.

What specific cryptography options will Westpac support post this change?

The following is a list of the cryptography which Westpac will continue to support post this particular change
Key Exchange

  • Curve25519
  • ecdh-sha2 over secp256k1
  • ecdh-sha2 over nistp256
  • ecdh-sha2 over nistp384
  • ecdh-sha2 over nistp521
  • diffie-hellman-gex-sha256
  • diffie-hellman-gex-sha1
  • diffie-hellman-group15-sha512
  • diffie-hellman-group14-sha256
  • diffie-hellman-group14-sha1

Signature

  • Ed25519
  • ecdsa-sha2 over secp256k1
  • ecdsa-sha2 over nistp256
  • ecdsa-sha2 over nistp384
  • ecdsa-sha2 over nistp521
  • rsa-sha2-512
  • rsa-sha2-256
  • ssh-rsa
  • ssh-dss

Encryption

  • aes256-gcm
  • aes128-gcm
  • aes256-ctr
  • aes192-ctr
  • aes128-ctr
  • aes256-cbc
  • aes192-cbc
  • aes128-cbc

MAC

  • hmac-sha2-256
  • hmac-sha1


What if my SFTP connection breaks?

Customers will be required to use iLink as a BCP option for the delivery of your files between your financial systems and Westpac
This will be communicated by our helpdesk to customers who are having issues with their connectivity. Our helpdesk will be on-hand to assist customers who have issues instigating iLink BCP as a priority.
Westpac will be unable to roll this change back

Can I be granted an extension for this change?

No, extensions cannot be granted for this change.
As this change affects the cryptography offered to all customers via our SFTP server service, all customers must be prepared for this change simultaneously for this change to occur.
If you are not ready for this change, you may need to prepare to change your SFTP client software or prepare to instigate iLink BCP and how it will need to interact with your financial systems.

Will there be a way to continue using the old cryptographic standards

No, the above mentioned cryptographic functions will be disabled. There will be no way to reinstate these functions.

My WIBS solution does not involve credit card data and therefore is not subject to PCI-DSS. Does this change still apply to me?

Yes, this change will apply to all WIBS customers that connect to the Westpac (Qvalent) SFTP servers.

Disclaimer

These guidelines are general in nature and have been prepared without knowledge of the specific environment in which your systems operate. These guidelines are current at the time of writing, but may require update over time. Except where contrary to law, Westpac intends by this notice, to exclude liability for these guidelines and the information contained in them. While Westpac has made every effort to ensure these guidelines are free from error, Westpac does not warrant their accuracy, adequacy or completeness.