SFTP SSH Client Encryption default or options

Come here to discuss FileZilla and FTP in general

Moderator: Project members

Post Reply
Message
Author
james.dean
500 Command not understood
Posts: 2
Joined: 2017-11-09 14:36
First name: James
Last name: Dean

SFTP SSH Client Encryption default or options

#1 Post by james.dean » 2017-11-09 14:49

Hi there

We use FZ and I want to evidence to a client that the SFTP we want to use with them is using strong encryption protocols.
I can see from the thumb print of the file:
SSH RSA 2048 and I would think RSA 2048 keys are used to communicate the symmetric key used for the encryption which is great!. I can see the SHA 256 hash which is a compliant hash algorithm which is also great!. I cannot see the symmetric key algorithm that is used.
When the client makes a connection to the server I would assume it gives the encryption protocols that it supports and the server will match the stronger but please advise.

Best regards
James

User avatar
botg
Site Admin
Posts: 33171
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: SFTP SSH Client Encryption default or options

#2 Post by botg » 2017-11-09 15:32

I suppose you're looking at the key file that's used by the client to authenticate itself to the server.

There are many things to consider:
- The key exchange algorithm (KEX), typically a flavor of DH combined with a cryptographic hash
- The server's host key algorithm.
- The client to server encryption algorithm
- The client to server MAC algorithm
- The server to client encryption algorithm
- The server to client MAC algorithm
- The algorithm of the client's keypair used for authentication (if not using password-based authentication)
- The algorithm how fingerprints are displayed to the user for verification in the TOFU model

MAC and encryption algorithm go hand-in-hand in some cipher suites, e.g. when using authenticated encryption.

If any of these algorithms is insecure, the entire session is insecure.

Algorithms are negotiated during the handshake. Both client and server exchange their supported algorithms ordered by preference and both the client and the server pick the first algorithms supported by both, ordered by client preference.

In FileZilla you can see the algorithms negotiated for the current session by clicking the lock icon in the status bar after connecting to the server.


Last but not least, there's another important aspect: Both the client and the server need to use a secure RNG. If the exchanged nonces and IVs aren't random, the session is not secure. There is no way for a client to know which RNG a server uses.

james.dean
500 Command not understood
Posts: 2
Joined: 2017-11-09 14:36
First name: James
Last name: Dean

Re: SFTP SSH Client Encryption default or options

#3 Post by james.dean » 2017-11-09 16:40

Thank you for your answer. Very informative.

Best regards
James

Post Reply