Before any files can be sent securely over protocols like FTPS, HTTPS, and SFTP, the two communicating parties must first engage in a key exchange. What's that?
Perhaps the best way to grasp the concept of encrypted key exchange is by understanding why it's needed.
Why key exchange is vital to secure file transfers
To preserve data confidentiality during transmission, secure file transfer protocols like FTPS, HTTPS, and SFTP have to encrypt the data through what is known as symmetric encryption. This kind of encryption requires the two communicating parties to have a shared key in order for them to encrypt and decrypt messages. But the problem is, letting two parties have a shared key is not easy.
In the real world, the two communicating parties would likely be geographically separated by long distances. One party might be in LA, while the other might be in New York, or perhaps even in Japan or Germany. What's more, the two parties might have never met at all.
The key can't just be sent through ordinary methods because anyone who gets hold of it would then be able to decrypt all the files that the two parties would be sending to one another. But whatever the alternative method would be, it had to be easy to use, secure, and highly scalable. It also had to be designed for the fast, interconnected, but highly insecure highways of the Internet. Otherwise, it wouldn't be be suitable for business use, where sensitive, high volume transactions made over vast distances are often carried out on a daily or even hourly basis.
And so that's why key exchange protocols were developed. They were meant to enable two parties to exchange symmetric keys over insecure networks like the Internet.
SSL key exchange
In SSL/TLS-protected file transfer protocols like FTPS and HTTPS, the key exchange process is performed during what is known as the SSL handshake - that preliminary step prior to the encrypted message/file exchanges.
I wish to tackle the SSL/TLS handshake in more detail in another post. But basically, this is how it works.
The client application, which is usually a Web browser (e.g. Firefox, Chrome, Internet Explorer, or Safari) or a file transfer client (e.g. AnyClient), requests a connection to the server by sending a message known as the Client Hello.
The Client Hello message typically consists of some random data and the cipher suites supported by the client. It may also contain a session ID and a compression algorithm but don't worry about that for now. What we're more concerned of is the cipher suite because it's where you'll find the key exchange algorithm.
A cipher suite is a named set of algorithms (or methods, if you want) for key exchange, symmetric encryption, and message authentication. To clarify, each cipher suite will have one algorithm for key exchange, one for encryption, and one for message authentication.
As soon as the server receives the Client Hello, it will look up its own list of supported cipher suites, compare it with the list sent by the client, and (ideally) choose the best.
Once the server has chosen its desired cipher suite, it would likewise have effectively chosen the desired key exchange algorithm.
Immedaitely after, the two (client and server) would start the key exchange process using the key exchange algorithm defined in the cipher suite that was chosen.
SFTP has a process similar to this.
Popular key exchange algorithms
The two most popular key exchange algorithms are RSA and Diffie-Hellman (now known as Diffie-Helmlman-Merkle). It probably wouldn't be too much of a stretch to say that the advent of these two key exchange protocols accelerated the growth of the Internet, especially businesswise.
That's because these two protocols allowed clients and servers, as well as servers and servers, to exchange cryptographic keys over an insecure medium (the Internet) and in turn enable them to transact electronically in a secure manner.
Lately, the emergence of elliptic curve cryptography has introduced new exchange protocols like ECDH (Elliptic Curve Diffie-Hellman) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral). These algorithms should be interesting to talk about, so stay tuned for our blog posts on these.
Here's a screenshot of some of the cipher suites supported by JSCAPE MFT Server, a managed file transfer server that supports FTPS, SFTP, HTTPS, and other secure file transfer protocols.
A lot of things happen when you connect to a secure server on the Internet. If you like to learn more about the things that happen in the background, check out these posts:
Start transferring files securely
If you're looking for a way to transfer files securely, we invite you to download a FREE, fully-functional evaluation edition of JSCAPE MFT Server. Give it a try today.