aspose file tools*
The moose likes General Computing and the fly likes SFTP and PGP? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » General Computing
Bookmark "SFTP and PGP?" Watch "SFTP and PGP?" New topic
Author

SFTP and PGP?

fred rosenberger
lowercase baba
Bartender

Joined: Oct 02, 2003
Posts: 11499
    
  16

Looking for opinions...

I am working with a vendor. Currently, we PGP encrypt files when we send to them. They are requesting that we change to SFTP. That's all fine. However, they say that they consider the "best practice" to be using BOTH SFTP and PGP encryption of the file.

Am I missing something? To me, that seems like gilding the lily, but I'm willing to listen if anyone knows otherwise...


There are only two hard things in computer science: cache invalidation, naming things, and off-by-one errors
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1110
    
  10

You don't say what medium you currently use to transfer the files but I assume it is some unencrypted channel such as FTP or Email. If so then the primary protection comes from the protection of the PGP private keys. An attacker therefore has to gain access to the RX computer and then get access to the PGP private key to gain access to the secret files.

If the SSH connection over which the SFTP runs is authenticated using (username,password) pairs then this is fairly weak so it would definitely be an advantage to also PGP encrypted files. If one uses public key authentication to access the RX computer using SSH /SFTP then on the surface also PGP encrypting is overkill but does it hurt? I think not. It still means that if the RX computer is compromised an attacker still has to get access to the PGP private key

One weakness you have not covered is possible access to the unencrypted files on either the TX or RX computers. To my mind this is the real weakness.

If I were involved I would keep the customer happy and do whatever he asks as long as it does not actually compromise security.
fred rosenberger
lowercase baba
Bartender

Joined: Oct 02, 2003
Posts: 11499
    
  16

so I am not an expert at all. These are some kind of financial records going from my corporation to Vanguard.

Currently, we use a straight FTP connection, with the files PGP encrypted.

We are moving away from PGP, and trying to go to more SFTP connections. We use either public/private pre-shared keys, or sometimes a normal user id/pw.

Both machines are behind their respective company's firewall. Vanguard is going to open up theirs to our IP.
Richard Tookey
Ranch Hand

Joined: Aug 27, 2012
Posts: 1110
    
  10

While ever "id/pw." authentication is allowed I would PGP encrypt.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SFTP and PGP?