Encrypt data flows via SFTP protocol

I have a problem and I am neither a system engineer nor an expert about certificates.

I have to transfer some file from a client to a SFTP server via SFTP protocol.

I have installed a SFTP server on my local Windows machine (I have used Cygwin). Everything works correctly. But I have a doubt, is the transfer on a secure channel? Or should I configure something on my server?

Should I have a certificate on my Windows machine that ensure me that the flow is encrypted? I think, the flow is encrypted because I am using SFTP. I think it's like HTTPS, i.e. encryption is implemented by protocol... So I don't have to do any particular customization to the server...

If I should generate a certificate (not for authentication), how can I do with Cygwin?

Ciccio

Posted 2014-11-06T14:14:22.920

Reputation: 131

Answers

while I am more familiar with unix/linux, the idea is the same. sftp is already secured (that is what s is for). however, how strong it is depends on the ciper used. you should be able to configure it on the server side as well as on the client. cygwin by default uses the openssh suite widely used in the linux world so the configuration is the same as what is used on linux. in other words, you can consult just openssh server docs available.

for details you can take a look at the sshd configuration, as sftp is just a ssh server subsystem and thus shares the configured values.

http://linux.die.net/man/5/sshd_config

johnshen64

Posted 2014-11-06T14:14:22.920

Reputation: 4 399

Do you mean that the flow is already encrypted? And do you mean that I just could change the way the flows is encrypted (rsa, des, ...) ? – Ciccio – 2014-11-06T14:28:47.070

yes, it is already encrypted with whatever cipher ssh traffic is encrypted with. yes, you can change the cipher (algorithm) of encryption. this is the same as ssh, again. – johnshen64 – 2014-11-06T14:30:50.587

So I don't have to look for any certificate installed on my machine. Right? – Ciccio – 2014-11-06T14:32:33.010

right, you don't have to. – johnshen64 – 2014-11-06T14:35:55.597

I have another doubt.. You talked about sshd_config... My sshd_config is the following:

# Ciphers and keying #RekeyLimit default none

It looks like that it is not encrypted the flow now.. right? – Ciccio – 2014-11-06T14:55:43.443

The RekeyLimit defines how often should the client and server renegotiate the keys. Even if you have this feature turned off (what reduces security), the initial keys are still exchanged. Hence this setting does not turn off encryption. – Martin Prikryl – 2014-11-06T14:58:03.873

But in the link @johnshen64 gave me, I read as follow:

Ciphers Specifies the ciphers allowed for protocol version 2. Multiple ciphers must be comma-separated. The supported ciphers are (a list of ciphers).. The default is: aes128-ctr, (another list)..

My default is different.. I do not have any.. – Ciccio – 2014-11-06T15:06:02.510

The # Ciphers and keying line is a comment/label (note the leading #). It does not set anything. If you do not have the Ciphers option in the sshd_config, the default set of ciphers is used. – Martin Prikryl – 2014-11-06T15:09:07.520

Ah ok, really Thank you... How can I see it by terminal? – Ciccio – 2014-11-06T15:12:15.003

If you have additional questions, please ask new question (after doing research). This is not a discussion forum. – Martin Prikryl – 2014-11-06T15:15:21.573

The SFTP protocol on its own does not do any encryption. Though in 99.9% of installations, such as with OpenSSH, it runs on top of the SSH, which encrypts data. Note that Cygwin uses OpenSSH as the SSH/SFTP implementation.

See the SFTP article on Wikipedia.

Even SSH can actually work without encryption (the none cipher). But out-of-the box installation of OpenSSH (nor any other SSH implementation I know of) does not allow unencrypted sessions.

The SSH, contrary to the TLS/SSL (used for the HTTPS or the FTPS), does not use certificates. The SSH uses a simple host key pair, that is typically automatically generated when installing the SSH server. That's the case for OpenSSH too. This simple key is not, contrary to the certificate, issued by a certificate authority, so it can be generated automatically. That's why you may not even noticed you have the key already.

See SSH Server Key ≠ FTPS (SSL/TLS) Server Certificate.

Martin Prikryl

Posted 2014-11-06T14:14:22.920

Reputation: 13 764

This is an excellent answer since it explains in more detail how SFTP itself works and how its implemented. – Ramhound – 2014-11-06T14:50:21.433

@Martin Prikryl thank you for your answer... I have another doubt.. You talked about sshd_config... My sshd_config is the following: # Ciphers and keying #RekeyLimit default none It looks like that it is not encrypted the flow now.. right? – Ciccio – 2014-11-06T14:56:26.290