What Is A Key Exchange?
Overview
Before any files can be securely sent over protocols like FTPS, HTTPS, and SFTP, the two communicating parties must engage in a key exchange. What's that?
Perhaps the best way to grasp the concept of encrypted key exchange is by understanding why it's needed.
Why key exchange is vital to secure file transfers
To preserve data confidentiality during transmission, secure file transfer protocols like FTPS, HTTPS, and SFTP have to encrypt the data through what is known as symmetric encryption. This kind of encryption requires the two communicating parties to have a shared key in order for them to encrypt and decrypt messages. However, the problem is that letting two parties have a shared key is not easy.
Long distances in the real world would geographically separate the two communicating parties. One party might be in LA, while the other might be in New York, Japan, or Germany. What's more, the two parties might have never met at all.
The key can't just be sent through ordinary methods because anyone who gets hold of it would then be able to decrypt all the files that the two parties would be sending to one another. But whatever the alternative method would be, it had to be easy to use, secure, and highly scalable. It also had to be designed for the fast, interconnected, highly insecure Internet highways. Otherwise, it wouldn't be suitable for business use, where sensitive, high-volume transactions made over vast distances are often carried out on a daily or even hourly basis.
And so that's why key exchange protocols were developed. They were meant to enable two parties to exchange symmetric keys over insecure networks like the Internet.
After understanding the crucial role of key exchange in securing your data transfers, you might wonder how to implement or optimize it within your infrastructure. Book a demo today to see how our solutions make secure key exchange seamless and robust for your business needs.
SSL key exchange
In SSL/TLS-protected file transfer protocols like FTPS and HTTPS, the key exchange process is performed during what is known as the SSL handshake - that preliminary step before the encrypted message/file exchanges.
In another post, I wish to tackle the SSL/TLS handshake in more detail. But basically, this is how it works.
The client application, which is usually a Web browser (e.g., Firefox, Chrome, Internet Explorer, or Safari) or a file transfer client (e.g., AnyClient), requests a connection to the server by sending a message known as the Client Hello.
The Client Hello message typically consists of some random data and the cipher suites supported by the client. It may also contain a session ID and a compression algorithm, but don't worry about that for now. We're more concerned about the cipher suite because it's where you'll find the key exchange algorithm.
A cipher suite is a named set of algorithms (or methods, if you want) for key exchange, symmetric encryption, and message authentication. To clarify, each cipher suite will have one algorithm for key exchange, one for encryption, and one for message authentication.
As soon as the server receives the Client Hello, it will look up its list of supported cipher suites, compare it with the list sent by the client, and (ideally) choose the best.
Once the server chooses its desired cipher suite, it will choose the desired key exchange algorithm effectively.
Immediately after, the two (client and server) would start the key exchange process using the key exchange algorithm defined in the chosen cipher suite.
SFTP has a process similar to this.
Popular key exchange algorithms
The two most popular key exchange algorithms are RSA and Diffie-Hellman (now known as Diffie-Helmlman-Merkle). It probably wouldn't be too much of a stretch to say that the advent of these two key exchange protocols accelerated the growth of the Internet, especially business-wise.
That's because these two protocols allowed clients and servers, as well as servers and servers, to exchange cryptographic keys over an insecure medium (the Internet) and, in turn, enable them to transact electronically securely.
Elliptic curve cryptography has recently introduced new exchange protocols like ECDH (Elliptic Curve Diffie-Hellman) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral). These algorithms should be interesting to talk about, so stay tuned for our blog posts.
Here's a screenshot of some cipher suites supported by JSCAPE MFT Server, a managed file transfer server that supports FTPS, SFTP, HTTPS, and other secure file transfer protocols.
Related posts
A lot of things happen when you connect to a secure server on the Internet. If you like to learn more about the things that happen in the background, check out these posts:
What Is Client Certificate Authentication?
What AES Encryption Is And How It's Used To Secure File Transfers
An Introduction To Stream Ciphers and Block Ciphers
An Overview of How Digital Certificates Work
Start transferring files securely
If you're looking for a way to transfer files securely, we invite you to download a FREE, fully functional evaluation edition of the JSCAPE MFT Server. Give it a try today.
Download JSCAPE MFT Server Trial