How Cleo Harmony and VLTrader address file transfer security using SSH FTP (SFTP)

Cleo Harmony (and VLTrader) offer a variety of file transfer protocols that can be configured for secure file transfer.  SSH FTP (SFTP) operates in two modes:

1. Cleo Harmony acts as the client to an external SFTP server
2. Cleo Harmony acts as the server and allows external SFTP clients to connect.

Both modes support a variety of security settings that can be configured to support strict encryption and data security requirements.

Encryption in transit

SSH operates over an encrypted channel secured by a symmetric key negotiated between the client and the server. Both the Harmony Local Listener and SSH FTP host are encrypted in transit using one of a set of ciphers selected in the configuration. Choices include:

• 3des-cbc
• aes128-cbc
• aes128-ctr
• aes192-cbc
• aes192-ctr
• aes256-cbc
• aes256-ctr
• arcfour128
• arcfour256
• blowfish-cbc
• cast128-cbc
• twofish128-cbc
• twofish192-cbc
• twofish256-cbc

Key Management

Session keys are negotiated using one of a set of secure key exchange mechanisms selected in the configuration. Choices include:

• curve25519-sha256@libssh.org
• diffie-hellman-group-exchange-sha256
• ecdh-sha2-nistp256
• ecdh-sha2-nistp384
• ecdh-sha2-nistp521
• diffie-hellman-group14-sha1
• diffie-hellman-group1-sha1

In addition, a secure MAC algorithm is negotiated from a set of configured algorithms. Choices include:

• hmac-sha2-256
• hmac-sha2-512
• hmac-sha1
• hmac-sha2-256-96
• hmac-sha2-512-96
• hmac-sha1-96
• hmac-md5
• hmac-md5-96

SSH FTP client authentication controls

SSH FTP clients can be configured to require use of a password, an SSH key, or both. Multiple SSH public keys can be attached to each SSH account.

Passwords

Passwords are stored in the user database using a PBKDF2 hash with 1000 rounds of SHA1 and a 32-byte salt. Password anti-hammering throttles can be configured. Passwords, if used, are subject to configured complexity requirements, including:

• Minimum Password Length
• Password Cannot Contain User Name
• Minimum Number of Uppercase Characters
• Minimum Number of Lowercase Characters
• Minimum Number of Numeric Characters
• Minimum Number of Special Characters
• Number Of Passwords Before Repeats Allowed
• Password Expiration Interval

SSH Keys

SSH key authentication uses asymmetric cryptography. Only the public key is configured in Cleo Harmony. Multiple public keys may be associated with each User.

Other SSH Security Considerations

• Each SSH user can have IP Whitelisting configured as a list of one or more IP addresses or CIDR blocks.
• Encryption at rest can be enabled using built-in PGP encryption.
• User account storage can also be mapped to external encrypted storage interfaces (for example, AWS S3 using KMS).
• Detailed session logs are kept for each SSH session.
• File transfer audit logs can be written to an SQL database or accessed through a REST API.
• The SSH server key is stored in a PKCS#12 format and secured by a password, which is protected by the server master AES 256 key.

References

• SSH FTP host configuration: https://support.cleo.com/hc/en-us/articles/360033703054-SSH-FTP-host
• User configuration, including SSH users: https://support.cleo.com/hc/en-us/articles/360034227753-Users-host
• SSH Server configuration: https://support.cleo.com/hc/en-us/articles/360034260113-Configuring-a-Local-Listener-for-SSH-FTP
• Advanced property configuration, including SSH cipher properties: https://support.cleo.com/hc/en-us/articles/360034260153-Specifying-Local-Listener-advanced-properties