Are SFTP login parameters encrypted before being sent

0 votes
asked Aug 25, 2016 by Prabhakar (610 points)

For the below API,will the username and password get encrypted with privatekey while being sent from client. The server uses the public key to decrypt the message and retrieves username, password. Is this understanding correct ?

Public Sub Login ( _userName As String, _password As String, _privateKey As SshPrivateKey )

Applies to: Rebex SFTP

1 Answer

0 votes
answered Aug 25, 2016 by Lukas Pokorny (123,810 points)

No, this is not what this method does. It performs two kinds of authentication for the specified user - password authentication (just like Login(userName, password)) and publickey authentication (just like Login(userName, privateKey)). This is needed for user accounts configured to require the client to perform both of these authentication. This kind of configuration is not very common. Usually, you either need to call Login(userName, password) and Login(userName, privateKey).

Username and password are not encrypted with the private key. However, SFTP runs over SSH, which means they are transmitted over a secure and encrypted SSH channel that has been established during the Connect method. To determine how exactly the SSH session has been secured, see Sftp.Session.Cipher object. For additional information about the kind of security offered by SSH, see 'Introduction' in RFC 4521. Also, don't forget to validate the server's public key fingerprint before authenticating to make sure you are connecting to the desired server. See Server verification for details.

commented Sep 13, 2016 by Prabhakar (610 points)
Regarding Login(userName, privateKey), please help me know what kind of mechanism the server uses to validate the privateKey against the publicKey that it holds? If PrivateKey can be seen by SFTP server (after decryption) will it not be considered privatekey leak?
commented Sep 13, 2016 by Tomas Knopp (58,890 points)
No, because the private key stays in the possession of the SFTP client user. How it works in very simplified words: the Rebex.Net.Sftp client method Login(username, privatekey) method takes the private key as the input but it does not send the private key to the server. It just signs the authentication request with the private key and sends the signed request to the SFTP server. The SFTP server is then able to decrypt the request with the public key of the user. If the compuations match, the user is authenticated succesfully.  For more information on private/public key authentication see e.g. https://winscp.net/eng/docs/public_key
commented Sep 13, 2016 by Prabhakar (610 points)
OK. So the private key is used to encrypt the request (with username and / or password) on the already established encrypted secured channel. Thanks for the details.
commented Sep 13, 2016 by Tomas Knopp (58,890 points)
edited Sep 13, 2016 by Lukas Pokorny
No sorry, it does not work like this! Public key authentication is based on asymmetric algorithms such as RSA or DSS and, the private key is not used for encrypting anything. It is used to compute a signature of a specifically constructed message. To validate the signature, a public key is sufficient. The signature serves as a proof of owning the private key. The private key itself is kept secret by the user.
commented Sep 13, 2016 by Lukas Pokorny (123,810 points)
The exact mechanism used by SSH public key authentication is described by RFC 4252. Please see https://tools.ietf.org/html/rfc4252#section-7 for details.
...