What good is an encrypted data transfer if the information it protects still falls into the wrong hands in the end? SFTP is best known for its ability to encrypt data while in transit. But while data-in-motion encryption can secure confidential information as it traverses the network, encryption can't prevent an impostor from carrying out the download himself. For that purpose, you'll want your users to authenticate with the right password and the right SFTP key.
In this post, we'll talk about the role of SFTP keys (a.k.a. private keys) in the overall security of the SFTP protocol, how it works, where to use it, and other bits of information regarding this important element of SFTP.
SFTP 2 Factor Authentication
Because of its many similarities with FTP, people who use SFTP usually treat it almost in the same manner as that widely used file transfer protocol. For example, when they log in to an SFTP server, they simply enter their username and password like they would with an FTP server.
A username and password is a good method of authentication. It allows a server to authenticate a user by challenging him to submit a piece of information that (theoretically) only he - the user - would know. That information is the user's account username/password combination. Of course, we already know from the spate of celebrity hacks we encountered this year, passwords can be compromised.
Does that mean that passwords are no longer good for authentication? Not really. You can make password authentication work if:
1. You force your users to choose long and complex passwords, and
2. You make sure their passwords are known only to them .
Still, good authentication may not be good enough. The hackers of today have already "leveled-up".
So should we.
To counter more advanced attackers, you can add another layer of security to your SFTP authentication process. In addition to password authentication, which is considered one factor, you can add a second factor.
Because password authentication already challenges the user for something he knows, you can issue another kind of challenge. You can challenge the user to prove he's actually in possession of something only he should have. That something is the user's private key. An authentication process that imposes two different kinds of requirements to the user (e.g. 1. something he knows and 2. something he has) is called 2-factor authentication.
With 2 factor authentication, even if a hacker manages to guess the right password, he would still be unable to login successfully if he fails use the right private key. Note that 2 factor authentication is usually not enabled by default. You would have to enable it on the server side.
How public key authentication works
SFTP authentication using private keys is generally known as SFTP public key authentication, which entails the use of a public key and private key pair. The two keys are uniquely associated with one another in such a way that no two private keys can work with the same public key.
Note: Although these public and private keys have similarities with the public and private keys used in encryption, they are used for a different purpose. While the public and private keys used in encryption are used to preserve confidentiality, the public and private keys we'll be discussing here are used for authenticating a user.
To implement public key authentication for your SFTP service, you would need to generate public key/private key pairs and assign them to your users. Each key pair should be associated with one user and one user alone.
Once you've generated a key pair for a particular user, you would then place the user's public key on your server and hand over the corresponding private key to the user. The user must then keep his private key in a secret location.
Every time the user needs to login to your SFTP server, he would have to use a capable SFTP client, enter his username and password, and then load his SFTP private key. The SFTP client will then use the private key to generate a digital signature that the server, through the corresponding public key stored there, can validate and match with the user's account.
Here's a screenshot that shows a private key being loaded unto AnyClient, an SFTP client that also supports other secure file transfer protocols.
The article How To Use An SFTP Client details the steps of connecting to an SFTP server using a GUI-based client.
Securing SFTP Keys
In order for SFTP keys to serve their purpose, their owners need to keep them in secret. For additional protection, SFTP keys can be encrypted using what is known as a pass phrase or key password. These are basically just ultra long passwords in the form of phrases. In other words, they typically consist of more than one word. Users must remember their SFTP key's pass phrase. Without it, the private key cannot be used - even by its owner!
Want to try sending files via SFTP? Download AnyClient now. It's totally free.
If you don't have an SFTP server yet, try the free, fully-functional evaluation edition of JSCAPE MFT Server.
Be up to date on tips like this, follow us on Twitter! Follow @jscape