0

I'm curious about a setup that involves downloading sensitive information from an SFTP server over the internet. The current approach is for the clients to connect to the SFTP server with a private key.

The vendor (who hosts the SFTP server) is now suggesting to switch to a model where the clients receive public keys to connect to their accounts.

Is there any downside in flipping around the authentication from previously private keys to a public key model?

My understanding is that in both scenarios the client is not proving his identity but in the private key solution at least the private key can be protected with a password to add an extra layer of security.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
bfloriang
  • 205
  • 1
  • 6

1 Answers1

3

No. It is not possible. The public/private key cryptography is (for a reason) called asymmetric, therefore it works only one way round:

  • the user has a private key to prove its identity
  • the server has a public key to verify the users identity

You can't switch that over. Though, the clients should also have the public key of the server, but it is not used for authentication and is part of different story.

Jakuje
  • 5,229
  • 16
  • 31