EldoS | Feel safer!

Software components for data protection, secure storage and transfer

FTPS authentification

Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.
#37183
Posted: 07/07/2016 09:13:17
by Andre Paradis (Standard support level)
Joined: 02/14/2013
Posts: 31

Hi,

I'm trying to figure out how to change my current ftps connection from username/password authentification to key authentification

I have a private key file that starts with -----BEGIN RSA PRIVATE KEY----- and also a public one that i generated on the server.

What component do I need to use ? I tried fileCertStorage and adjusted the ftps client properties, but no luck.

thanks
#37184
Posted: 07/07/2016 09:19:54
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

First of all could you clarify if you are using FTPS or SFTP component as public key authentication is usually used with SFTP.

If you want to use client side certificate authentication with FTPS client, then you need to have both public and private parts of the certificate, load them to TElX509Certificate object, put it into TElMemoryCertStorage instance and assign this instance to TElSimpleFTPSClient.ClientCertStorage property.
#37185
Posted: 07/07/2016 09:27:15
by Andre Paradis (Standard support level)
Joined: 02/14/2013
Posts: 31

Im using the FTPS component

I will try this now
#37187
Posted: 07/07/2016 09:42:43
by Andre Paradis (Standard support level)
Joined: 02/14/2013
Posts: 31

I get a Invalid Size exception on this line.

ElX509Certificate1.LoadFromFileAuto('c:\file','psw');
#37188
Posted: 07/07/2016 09:47:30
by Eugene Mayevski (EldoS Corp.)

Let's re-check first - do you have an X.509 certificate in that file? You can't load a certificate, if it's not a certificate (but say a private key file).


Sincerely yours
Eugene Mayevski
#37189
Posted: 07/07/2016 09:50:56
by Andre Paradis (Standard support level)
Joined: 02/14/2013
Posts: 31

I have 2 key files, 1 public, 1 private that are generated by the server, and I am using ftps

I want to replace the username / password authentification with the keys from the server

thanks
#37190
Posted: 07/07/2016 09:59:38
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
I have 2 key files, 1 public, 1 private that are generated by the server, and I am using ftps

You need to have X.509 certificate with private key in order to connect to the server. Could you post here a content of public key file to check.
#37191
Posted: 07/07/2016 10:06:14
by Andre Paradis (Standard support level)
Joined: 02/14/2013
Posts: 31

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzWusENcXvA70Y+haUfVX8lBI0m62RF7qUTUibdYc1jZEZb4oB+iKRkZlrWCP41q8beQzBz0RdOxVcT0od/Of0XgZapBfcnly3iKlLVzFRBxh9/zi78sBCgtZys/2pZmvt7+WfPH+YLPN3YJ2cmcdtvXMUSfYEAjQ2l1VBv6zEoe+cNsafiEvKOFxBpgHMEUhieVAHOOicpCy+I98XVP2dqtsF6OCl4vHHAHu+yBb1xyVtcGkX+viTrXuoUues9bwy9jZ24JKWXb5OmNj6wL9LdIOfQ0Y0hNckL9LtswE+Ayw/waM6+FE0vUJSSVssfhlkltz8iJrp5rmBXEzoAcir MART@CC
#37192
Posted: 07/07/2016 10:09:32
by Eugene Mayevski (EldoS Corp.)

Quote
Andre Paradis wrote:
I have 2 key files, 1 public, 1 private that are generated by the server, and I am using ftps

I want to replace the username / password authentification with the keys from the server


There are two straightforward (and cumbersome) ways to deal with this:

1) Generate full-fledged certificates on the server, and use them for authentication.

2) you can create a self-signed certificate on the client, based on the keypair, provided by the server, but this is cumbersome and you would be reinventing the established security solutions.

The correct approach is more complicated, but more secure in the first place:

a) Make the clients generate certificate requests and send them to the server for signing. This allows the client keep the private key really private to him.
b) the server would sign the request using its certificate, and create a new certificate for the client.
c) the certificate is sent back to the client. On the client side the certificate received from the server can be merged with the locally stored private key, to get a client-side certificate, suitable for authentication.
d) on the server you'd implement certificate validation of the certificates provided by the clients

In general, building an in-house PKI is not a trivial task, that definitely exceeds the capabilities of this forum system. You might want to take a book or two on PKI to understand it in depth. We have the links to the books here: https://www.eldos.com/forum/read.php?FID=7&TID=1842


Sincerely yours
Eugene Mayevski
Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.

Reply

Statistics

Topic viewed 804 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!