We are sending some date from one system to another system (outside network). The data will be transferred over SFTP. Some the data is sensitive.
I was told that since we are sending it over SFTP, we don't need to encrypt the data. As per my understanding even if we are sending data over SFTP, we should encrypt it.
I want to know if it's true that we don't need to encrypt data if we are sending over SFTP?
SFTP uses SSH as the underlying protocol. SSH handles encryption for you. Provided the SSH connection is secured well (e.g. using a private key) and you trust the system you are communicating with, you don't need to implement any further encryption.
Related
My application needs to access files from a remote FTPS or SFTP server depending on what my app user wants to connect to. I need to be able to access file content in a folder or create a folder.
1) What login properties differ for an FTPS and SFTP server that a user must enter?
2) Is there any way I can detect if it is an SFTP or FTPS server?
SFTP doesn't have any authentication. SFTP protocol is supposed to be used over SSH connection, thus it relies on SSH for authentication. So all authentication mechanisms of SSH apply. The list of such mechanisms is extensive - you can authenticate using password, a private key ("public-key authentication"), X.509 certificate (not a popular option), keyboard-interactive (challenge-response) dialog, also via GSS-API you can use Kerberos and possibly other mechanisms. FTPS as FTP-over-TLS can also use various mechanisms. FTP uses username/password by default, but potentially one can implement some tricky mechanisms using SITE command. TLS protocol includes client-side authentication using X.509 certificates, pre-shared symmetric keys, plain PKI keys, OpenPGP keys.
SFTP and FTP/FTPS are completely different protocols. Servers run on different ports. If you want to implement protocol autodetection, you can try the following: connect to the server, and if it sends a welcome SSH message within 200-500 ms, you know that it's an SSH (and potentially SFTP) server. If it sends a welcome FTP message, it's an FTP server (this includes explicit TLS mode of FTPS). If it sends nothing, then it can be a TLS server and you can have implicit FTPS over this connection.
Recently all our testing machines have been moved to a secured shell network. As a result, ip addresses of all these machines has now been changed and we have to access these machines using SSH protocol now onwards.
However, I am not able to access any target machine which is also enabled for SSH using "remsh" to perform some task.
I have checked the existence of ".rhosts" file and and entry of the target machine's ip entry into "/etc/hosts" file.
Kindly let me know if I need to change/look any where else to make remsh work?
Remsh, rlogin, rsh, and rcp are not a secure systems as information is sent as plain text between the machines and because the hosts verification is not done with secret keys but is host-based and can be forged. I would think that you have changed to ssh precisely for these reasons.
Luckily you can do all the same things using ssh. For example, after configuring the machines to use public & private key pairs, you can run commmands on remote machine automatically (by supplying password or using passwordless keys):
ssh user#remotehost command-to-be-run
If you haven't used ssh much earlier, there are a lot of things to learn, but isn't that fun? As a result you will also know how to do state of the art secure connections. You will want to learn especially about public key authentication.
There are lots of tutorials on the Internet how to create and use keys and use ssh. http://www.olearycomputers.com/ll/ssh_guide.html seems like a good starting point. https://engineering.purdue.edu/ECN/Support/KB/Docs/SSHReplacingRhosts discusses specifically replacing .rhosts authentication with a key pair.
I've a quick question:
I have 2 websites, 1 has some links to file downloads. Those files are hosted on another server.
I need to encrypt the request data between the 2 servers..can I do it just using a SSL certificate?
Any other/better idea?
Those files are private docs, so I don't want the server 2 or any other people being able to track the file requests between the servers.
Thanks
Yes, use SSL (or actually TLS) if you want to achieve transport level security. If these are two servers that you control you can configure your own self signed certificates. If you want to make sure that only the two servers can communicate with each other, then require client-authentication, where both the server and client use a certificate/private key pair.
Most of the time the trick is to implement a sensible key management procedure. Setting up a web server to handle TLS using certificates should not be too hard.
SSL certificate will work fine for ensuring the transfer is encrypted. Even just a self signed certificate will be fine for this purpose (provided you can tell the client you're going to use to accept the self signed cert)
Alternatively if it's two linux machines then scp (secure copy) is a great tool where it'll connect via ssh and grab the files. (There probably is a windows scp tool but I don't know it)
Rsync also supports going via ssh
As for tracking the request... there's nothing you can do to prevent any device between your computer and the destination computer logging the fact a connection was made but the encryption should prevent anyone from getting to the actual data you're sending.
If you log in to an sftp server,
Are the username and password sent securely?
Or do you have to have certificate-based authentication to ensure that the entire transmission is encrypted?
If this is client-dependent, then do you know if Tumbleweed and WinSCP can be configured to send username and password securely?
SFTP goes over SSH, which establishes a secure tunnel by exchanging keys (recall how when you first connect you are prompted to accept and store a key?). Once the secure tunnel is established, all communication through it is encrypted. The username and password are sent via the tunnel, hence they are sent securely.
Depends on what you mean by SFTP. For "real" SFTP which stands for SSH File Transfer Protocol authentication is done on SSH layer and it's secure. Some people use "SFTP" as a synonym of FTP-over-TLS, and in this case it depends - in most cases the command channel is encrypted before username and password are sent (this is true only for SSL/TLS-secured connection, not plain FTP!) but it's possible to authenticate in clear text (eg. for debugging purposes).
SFTP itself does not authenticate at all. According to its specification it assumes that it runs over a secure channel. As such it expects that underlying channel handles authentication (if any).
So the question is, what channel does your particular instance of SFTP run over. In 99% cases it runs over SSH though (port 22), which sends username and password securely. Note that majority of SFTP clients (WinSCP definitely) and servers do not even support any other channel than SSH.
Strictly speaking even SSH can be configured encryption-less or with inferior encryption. Though again in most cases it is secure. And again, most SSH clients (WinSCP definitely) and servers do not allow encryption-less SSH setup.
This question already has answers here:
How does browser generate symmetric key during SSL handshake
(2 answers)
Closed 2 years ago.
First, some quotation from Microsoft TechNet's Managing Microsoft Certificate Services and SSL:
To recap, secure SSL sessions are established using the following technique:
The user's Web browser contacts the server using a secure URL.
The IIS server sends the browser its public key and server certificate.
The client and server negotiate the level of encryption to use for the
secure communications.
The client browser encrypts a session key with the server's public
key and sends the encrypted data back
to the server.
The IIS Server decrypts the message sent by the client using its private
key, and the session is established.
Both the client and the server use the session key to encrypt and decrypt
transmitted data.
So, basically speaking, the SSL use the asymmetric encryption (public/private key pair) to deliver the shared session key, and finally achieved a communication way with symmetric encryption.
Is this right?
Add - 1 - 5:55 PM 12/17/2010
I am using IIS to host my websites. Suppose I have multiple sites on my single machine, and I want the client brower to use SSL URL to connect my sites. How many certificates do I need? Which of the following approach should I take?
1 - Apply for a single certicate and associate it to my single server machine which hosts mutiple sites.
2 - Apply for several certificates and associate each of my sites with its own certificate.
In IIS7, it seems I could only do approach 1.
Update - 1 - 6:09 PM 12/17/2010
I figure it out. I could install mutiple certificates on my server machine and bind each site with seperate certificate as necessary.
Yes, that's right. Asymmetric encryption is necessary to verify the others identity and then symmetric encryption gets used because it's faster.
You're wrong at points 4 and 5. The server and client independently compute the same session key. It is never actually transmitted at all.
.
The answer is both. You will find a nice explanation in 4 steps from digicert.com below:
.
Server sends a copy of its asymmetric public key.
Browser creates a symmetric session key and encrypts it with the server's asymmetric public key. Then sends it to the server.
Server decrypts the encrypted session key using its asymmetric private key to get the symmetric session key.
Server and Browser now encrypt and decrypt all transmitted data with the symmetric session key. This allows for a secure channel because
only the browser and the server know the symmetric session key, and
the session key is only used for that session. If the browser was to
connect to the same server the next day, a new session key would be
created.
https://www.digicert.com/ssl-cryptography.htm
I would suggest that you post your update as a separate question.
In any case - you will require multiple certificate - one per site. Remember that these certificates tie your machine to your address. Since each of the websites is going to have a different address (potentially) , you need different certs for each of the sites
You can only have a single SSL cert per listening port on the server. This is because the very first thing that is sent is the server certificate (as in your timeline). This is before the HTTP request so if you try to host two domains on a single server (say foo.com and bar.com) there is no way for the server to know which certificate to send to the client.
There are a few different ways to solve this problem:
Host different domains on different servers
Host different domains on different ports (eg. foo.com is serverd from 443 and bar.com is served from 8443). If you put your host behind multiple load-balancers, you can have them service all the sites on 443.
If the different domains are all sub-domains of a single parent domain, you can get a wildcard certificate. (e.g. domains www.foo.com, bar.foo.com, and baz.foo.com can all use a certificate for *.foo.com)
Get a single certificate for one of the domains and have the other domains listed as AltNames. (e.g. both foo.com and bar.com can use a foo.com certificate with a bar.com AltName)
The case where the session key is independently computed by the client and server without the key ever being transmitted is Diffie-Hellman key exchange:
https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
--- see the nice paint illustration
PKI will exchange the encrypted session key between the client and server.
The SSL client sends the random byte string that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The random byte string itself is encrypted with the server's public key(Asymmetric).
SSL uses both Asymmetric and symmetric keys.