Introduction: How SSH connections, authentication and encryption work

First, it’s important to understand the relationship between SSH and SFTP (which uses SSH as its transport layer). When a client attempts to connect to an SFTP server, the following steps occur:

1. SSH encryption negotiation: Both machines negotiate their SSH connection by:

a. Creating a public/private key pair
b. Exchanging their public keys
c. Combining those shared public keys with their hidden private key to create what is known as a shared secret that is housed locally (This process is known as symmetric encryption)

2. Server authentication: Once an encrypted connection is established, the server will authenticate itself by encrypting a small piece of data and sending it to the client for verification. The client receives this data and unencrypts it using the shared secret.

3. Client authentication: The client then transmits its authentication credentials to the server. This can be done in two ways:

a. Via a user name and password
b.
Via public key authentication, where the client sends its public key to the server, which compares that key against its private key. If the keys match, the client is authenticated.

4. Session creation: Once authentication has been verified, a transfer session will begin, and the client will be able to execute requests

What are SFTP server keys?

SFTP server keys are unique character strings used to validate client and server credentials before beginning a file transfer session. Keys can be generated in several ways, but the most common, SFTP public key authentication, uses an encryption algorithm to generate keys in pairs that provides clients (the data requestor) or servers (the “owner” of the data) with a public and private key. 

To authenticate a session, the client and server will exchange their public keys and compare those keys to their private key. If the keys match, the two machines will allow a connection to begin. 

What are SFTP server keys used for?

SFTP server keys are used to authenticate a client and server session before initiating a secure file transfer. They are NOT used for connection encryption.

Are SFTP keys different than SSH keys?

Not necessarily. Two types of keys are used in SFTP connections:

  • The symmetric key pair is typically automatically generated at the time an SSH connection is established and is used to establish encryption.
  • The public/private key pair is generally created in advance and used for authentication.

If your SFTP server is configured to only require a password for authentication, you could use the automatically generated symmetric key pair as both your SSH and SFTP keys. A client user would thus not need separate SFTP keys. 

If however you add a second authentication factor by requiring SFTP public key authentication, your SFTP keys would be different than the SSH keys generated at connection.

Is SFTP public key authentication more secure than passwords?

Yes. As a general rule, the more authentication “factors” you use, the more barriers you erect against bad actors who may be able to compromise a particular set of credentials. SFTP public key authentication serves as that second authentication factor.

In a situation where a third party has gained access to a user’s password, that third party would also need to gain access to the client or server’s private key in order to access your system. If you have appropriate security measures in place and are careful about keeping your private key hidden, you would mitigate the risk of this attack scenario.

What’s the difference between a public and private SFTP server key?

The public SFTP server key is the data string exchanged between clients and servers that each party can use to confirm the other’s identity. 

The private key is never exchanged. It is held locally on either the client or the server and used to validate the authenticity of public keys received in order to allow authentication. 

How are SFTP server keys generated?

SFTP server keys are generated in several ways:

  • Initial symmetric key pairs are most commonly created automatically by an encryption algorithm within your SSH or SFTP server. Once the ssh-keygen command is issued, the server will use your specified key agreement protocol (most commonly Diffie-Helman).
  • Public/private key pairs are typically generated when setting up SFTP servers and clients, either automatically or using a local utility such as PuTTYgen.

What are best practices for SFTP server key distribution?

The private key should reside on the client machine. Because of this, Cerberus FTP Server by Redwood recommends that you create public/private key pairs from the client side, then provide the server with your public key.

Doing so reduces the risk of a private key being intercepted if it’s never transmitted, it can’t be intercepted unless the physical device is compromised.

What security vulnerabilities exist for SFTP server keys?

Key management is the biggest vulnerability that affects SFTP server keys. Key-based encryption and authentication processes are extremely mathematically complex and have not shown vulnerabilities to date, but the humans who may accidentally expose private keys or let others gain access to their device are the biggest threat. 

Education will be your biggest mitigating factor. Ensure your users never share or broadcast private keys, and understand what signs to look for if a phishing attack attempts to request key information. 

We hope this article has been helpful in understanding SSH and SFTP server keys. If you have questions, please contact our support team