SSL Secures Transactions and File Transfers
While FTP paved the way for common-use applications of file transfer, here it is a legacy protocol with many unpluggable security holes. Certain measures can be taken to make FTP more se, such as turning off anonymous access and heightening the security of your firewall, but this doesn’t make up for the inherent risks FTP carries.
The Internet Engineering Task Force (IETF) conjured a new, safer method of file transfer in the form of SFTP. Where FTP sends all data, including passwords, as plain text, SFTP encrypts data in transit using a set of keys.
SSL, TLS, and SFTP
Public key security, more formally known as asymmetric cryptography, involves the use of a key pair to encrypt data. Unlike symmetric cryptography, which uses only one key to both encrypt and decrypt, asymmetric cryptography involves two keys that perform opposite functions but make up one process. The public key encrypts the data, which can then only be decrypted by the matching, secret private key. The private key cannot be divined with the public key, so a user can safely disseminate the public key to users, who can then send coded data only the key pair owner can decode.
Cornerstone uses public key security through Transport Layer Security (TLS), which is often still referred to by its predecessor’s name, Secure Sockets Layer (SSL). SSL is now incorporated into the broader and more secure TLS, which is incorporated into several file transfer protocols, including FTPS, HTTPS, and WebDAV. SSL offers a higher level of security by optionally accepting connections with only authorized certificates.
SSL is added to HTTP (making it HTTPS) to secure websites. If you see a little padlock icon beside your URL, you’re on a secure page. This is particularly useful for websites that handle credit card or other sensitive information.
Where do Keys Come From?
You can create a key using a third-party generator, such as PuTTYgen. Cornerstone also has a built-in certificate management system which allows you to create and store keys for easy use. When you create a key, you’ll need to fill in a range of personal information, including a name and email address, company, location—all of this is required for the key. When you’ve filled in your information and generated a key (which can be of a variety of lengths, which determine how secure your key is), you can choose how to sign the key.
The signature is the important bit. You could sign the key yourself, which is the easiest way, but without any third-party credentials to back you up, websites and servers won’t trust you. To have a trustworthy key, you’ll need to submit a Certificate Signing Request (CSR) to a Certificate Authority (CA) which will verify your information. Once it’s confirmed that you are who you claim to be and own the domain on your CSR, the CA will back your key. When you try to access a website or server using an SSL connection, an SSL handshake will occur invisibly; this is when the website or server will compare the CA’s signature with a database of legitimate sources before either allowing access to a site or submitting a warning to the end user about a bad certificate (you may have seen the error pop up when you try to enter a website, telling you it isn’t a trusted site?). In the case of a client-and-server transfer, an uncertified key will be rejected.
At this point, assuming all has gone well, an actual data transfer can begin. The initial SSL handshake facilitates the creation of a symmetric session key. Basically, since public-key encryption takes more time and computing power, most transfers use a combination of public-key and symmetric key encryption (instead of multiple public-key encryptions) to keep security high and power/time usage low. The browser will use its public key to encrypt a one-time use symmetric key to share with the client. The rest of the transaction uses this symmetric key, which is private thanks to the public-key encryption. After the transfer is over, the symmetric key is thrown away.
Out with FTP, In with FTPS
Data encryption is vital to a truly secure transfer. FTP will never be as secure as using a protocol with inherent encryption methods, such as FTPS. SSL/TLS provides far greater security for your file transfers, thanks to public-key encryption of data as it moves between your client and server.
For further information about how to keep your data protected, you can read our second post in this series, The Corporate Firewall.