OFTP2
The OFTP2 protocol (Odette File Transfer Protocol 2) is a further development of the OFTP1 or OFTP/ISDN protocol used for EDI data exchange for many years, particularly in the automotive industry. The reasons for the decline of OFTP1 lie mainly in the peculiarities of the ISDN protocol.
The standard in the automotive industry
Although the transmission of EDI files via ISDN or OFTP1 is considered a secure transport route even without encryption mechanisms because an ISDN connection is difficult to infiltrate, this transmission method dates back to the early days of EDI data communication and represents an era when modern broadband connections were still scarce. In particular, the low transmission speed of ISDN/OFTP1 connections increasingly proved to be an obstacle, since very large data volumes in the form of CAD files (ENGDAT method) also had to be transmitted this way. The announcement of Deutsche Telekom to replace the ISDN service with IP telephony was the final indicator that OFTP2 would become the future tool of choice for EDI traffic within the automotive supply industry.
More transaction security through positive as well as negative feedback
A general and important advantage of the OFTP2 protocol is the possibility to continue the transmission of VDA and EDIFACT messages by restarting if the connection fails. Equally useful for practical use is the confirmation of the complete receipt of an EDI file by the receiving OFTP2 software. This means that the sender is immediately informed of the successful transmission and complete receipt; a circumstance that significantly takes into account the transaction security requirements—especially at high transmission frequencies. In principle, two EDI acknowledgment statuses can be distinguished: EERP = end-to-end response and NERP = negative-end response. In addition to the positive receipt confirmation in the case of successful data transmission, the OFTP2 protocol also informs about failed EDI transactions (e.g., as a result of an abort) in the form of a negative receipt confirmation.
When using the OFTP2 standard for transmitting EDI messages, several levels must be considered, each of which allows the use of different options. An important subcomponent of the OFTP2 process is the EDI data transfer, i.e., the physical transport of EDI messages from the sender to a recipient. OFTP2 uses TLS or its predecessor SSL for secure EDI data transmission. When setting up an OFTP2 data connection, a basic distinction can be made between two different characteristics:
PKI and CMS for the creation of digital signatures
In order to meet the highest demands for a secure EDI connection by encrypting and signing the EDI messages, it is necessary to use suitable certificates. The required certificates are based on the X.509 standard. This standard describes the PKI (Public Key Infrastructure) and CMS (Cryptographic Message Syntax) formats. Both are necessary for the creation of digital signatures.
Certificates can generally also be created independently (self-signed certificates) or together with the EDI exchange partner (mutually signed certificates). However, in the case of EDI data exchange in the automotive industry, in particular, the major market players (e.g., MAN, Daimler, etc.) attach great importance to certificates issued by a recognized and trustworthy authority or CA (Certificate Authority).
Odette—internationally recognized body with influence on EDI processes in the automotive industry
One of the globally recognized bodies for issuing OFTP2 certificates (CA) is the ODETTE organization. ODETTE (Organization for Data Exchange by Tele Transmission in Europe) is an association of regional automotive organizations that exert a significant influence on EDI processes and procedures used in the automotive industry. The recommendations made within ODETTE are therefore predominantly found in EDI practice among users within the OEM (Original Equipment Manufacturer = original equipment manufacturer) and their automotive suppliers.
Certificates with term limits for more security
Consequently, the first step in establishing a secure OFTP2 data connection is to apply for a certificate from a suitable organization. OFTP2 certificates are subject to a fee; the cost is usually based on the validity period, which can be between one and ten years. In practice, however, OFTP2 certificates with a validity of between three and five years are predominantly used. The term of an OFTP2 certificate should not be too short, since each certificate change comprises additional effort and connection tests with the connected OFTP2/EDI partners. What’s more, such certificates should be chosen that allow full functionality of line and file encryption.
Based on the certificate obtained, the required components (such as public key) for setting up the OFTP2 connection can be transferred to the EDI partner. The recipient can check the validity of the received information by accessing a dedicated TSL list (Trusted Service Status List) via deployed OFTP2 software. The TSL list details all suitable issuers of certificates and thus enables the EDI partner to verify the received certificate information with respect to trustworthiness and integrity based on the list entries.
The asymmetric encryption method used in OFTP2 communication guarantees by means of a matching key pair (private key and public key) that only the EDI message specifically addressed via OFTP2 can be made readable by the recipient. Only the respective EDI partner can thus decrypt the message—encrypted by the sender by using the recipient’s public key—with the aid of their private key. When signing and verifying EDI messages, the public key allows the identification and verification of hash values and thus guarantees a comprehensive validation and confidentiality check to verify the sender who signed the message with their private key. This method is suitable for the secure transmission of large EDI messages.
This post is also available in DE.