• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

SFTP and PGP?

 
lowercase baba
Posts: 13089
67
Chrome Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Looking for opinions...

I am working with a vendor. Currently, we PGP encrypt files when we send to them. They are requesting that we change to SFTP. That's all fine. However, they say that they consider the "best practice" to be using BOTH SFTP and PGP encryption of the file.

Am I missing something? To me, that seems like gilding the lily, but I'm willing to listen if anyone knows otherwise...
 
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You don't say what medium you currently use to transfer the files but I assume it is some unencrypted channel such as FTP or Email. If so then the primary protection comes from the protection of the PGP private keys. An attacker therefore has to gain access to the RX computer and then get access to the PGP private key to gain access to the secret files.

If the SSH connection over which the SFTP runs is authenticated using (username,password) pairs then this is fairly weak so it would definitely be an advantage to also PGP encrypted files. If one uses public key authentication to access the RX computer using SSH /SFTP then on the surface also PGP encrypting is overkill but does it hurt? I think not. It still means that if the RX computer is compromised an attacker still has to get access to the PGP private key

One weakness you have not covered is possible access to the unencrypted files on either the TX or RX computers. To my mind this is the real weakness.

If I were involved I would keep the customer happy and do whatever he asks as long as it does not actually compromise security.
 
fred rosenberger
lowercase baba
Posts: 13089
67
Chrome Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
so I am not an expert at all. These are some kind of financial records going from my corporation to Vanguard.

Currently, we use a straight FTP connection, with the files PGP encrypted.

We are moving away from PGP, and trying to go to more SFTP connections. We use either public/private pre-shared keys, or sometimes a normal user id/pw.

Both machines are behind their respective company's firewall. Vanguard is going to open up theirs to our IP.
 
Richard Tookey
Bartender
Posts: 1166
17
Netbeans IDE Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
While ever "id/pw." authentication is allowed I would PGP encrypt.
 
A teeny tiny vulgar attempt to get you to buy our stuff
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic