More .NET components

Security

Server verification #

Once connected to an SFTP server (and before authenticating), you should make sure you are indeed connected to the server you intended to connect to. Otherwise, you risk revealing sensitive data (such as your password) to a third-party.

This is done by checking the server's public key and its signature. The signature is validated by Rebex SFTP automatically, but it's up to you to check the server's public key (or fingerprint).

In an ideal world, you should only connect to servers whose public keys (or fingerprints) you already have received securely. However, most real-world applications simply display the public key to the user when connecting for the first time, and make sure the key has not changed on subsequent connections. This has proved to be a decent compromise between security and usability.

Verifying server fingerprint #

A fingerprint (hash value) of the server key used to secure the current connection is available in the Fingerprint property. To verify it, simply compare the value with the one you've obtained from the server's administrator:

CSharp

// a fingerprint obtained from your server's administrator
string fingerprint = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c";

// connect to an SFTP server
sftp.Connect(hostname);

// verify the server fingerprint
if (sftp.Fingerprint != fingerprint)
    throw new Exception("Invalid server key fingerprint.");

VisualBasic

' a fingerprint obtained from your server's administrator
Dim fingerprint = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c"

' connect to an SFTP server
sftp.Connect(hostname)

' verify the server fingerprint
If sftp.Fingerprint <> fingerprint Then
    Throw New Exception("Invalid server key fingerprint.")
End If

Please note that Sftp.Fingerprint property provides an MD5 hash of the server's public key. To get SHA-1 or SHA-2 fingerprints, use Sftp.Session.Fingerprint.ToString(SignatureHashAlgorithm) method instead.

Verifying server key #

Instead of verifying a fingerprint of server's public key, it's possible to verify the public key itself. It's available in Sftp.ServerKey property. Use GetPublicKey() to get the key as a byte array, or save it for further use using GetPublicKey method.

CSharp

// get the server key
var key = sftp.ServerKey;

// save it to a file
key.SavePublicKey(@"C:\MyData\my_key.pub");

VisualBasic

' get the server key
Dim key = sftp.ServerKey

' save it to a file
key.SavePublicKey("C:\MyData\my_key.pub")

Server key verification event #

Alternatively, you can check the server key or its fingerprint in a FingerprintCheck event handler which is raised by the Connect method. To accept a key, set event argument's Accept property to true.

CSharp

// handler for the FingerprintCheck event
void client_FingerprintCheck(object sender, SshFingerprintEventArgs e)
{
    // a fingerprint obtained from your server's provider
    string fingerprint = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c";

    // verify the server fingerprint
    if (e.Fingerprint.ToString() == fingerprint)
        e.Accept = true;
}

VisualBasic

' handler for the FingerprintCheck event
Sub client_FingerprintCheck(ByVal sender As Object, ByVal e As SshFingerprintEventArgs)
    ' a fingerprint obtained from your server's provider
    Dim fingerprint = "e2:29:05:cd:7a:59:ee:03:fa:03:f5:72:61:77:e3:1c"

    ' verify the server fingerprint
    If e.Fingerprint.ToString() = fingerprint Then
        e.Accept = True
    End If
End Sub

Registering the event handler:

CSharp

// register an event handler
sftp.FingerprintCheck += client_FingerprintCheck;

// connect to an SFTP server (raises FingerprintCheck event)
sftp.Connect(hostname);
// ... this line is reached only if the fingerprint was accepted
//     (otherwise the Connect method throws an SftpException)

VisualBasic

' register an event handler
AddHandler sftp.FingerprintCheck, AddressOf client_FingerprintCheck

' connect to an SFTP server (raises FingerprintCheck event)
sftp.Connect(hostname)
' ... this line is reached only if the fingerprint was accepted
'     (otherwise the Connect method throws an SftpException)

The FingerprintCheck event is raised during a key re-exchange process as well.

Security settings and algorithms #

Rebex SFTP's underlying SSH core supports a number of security algorithms:

  • Authentication Methods (Password, Public key, Keyboard-interactive, GSSAPI).
  • Encryption Algorithms (AES, Triple DES, Twofish, Blowfish, RC4).
  • Encryption Modes (CBC, CTR).
  • Host Key Algorithms (RSA, DSS, ECDSA with NIST P-256/384/521*, EdDSA with ED25519**).
  • Key Exchange Algorithms (Diffie-Hellman - Oakley group 2 or 14, group exchange with SHA-1 or SHA-256; Elliptic Curve Diffie-Hellman - over NIST P-256*, P-384*, P-521* or Curve25519** curves).
  • MAC Algorithms (SHA-2, SHA-1, MD5).

* Available on Windows (on Windows Vista and higher). External plugins are needed for other platforms.
** Plugin required on all platforms.

To explicitly enable or disable any of these algorithms, use Sftp.Settings.SshParameters object:

CSharp

// get SSH parameters object
SshParameters par = sftp.Settings.SshParameters;

// allow both DSS and RSA
par.HostKeyAlgorithms = SshHostKeyAlgorithm.DSS |
                        SshHostKeyAlgorithm.RSA;

// when the server supports both, prefer RSA
par.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA;

// only allow AES and Twofish
par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES |
                           SshEncryptionAlgorithm.Twofish;

// connect using the SSH parameters
sftp.Connect(hostname, Sftp.DefaultPort);

VisualBasic

' use SSH parameters object
With sftp.Settings.SshParameters

    ' allow both DSS and RSA
    .HostKeyAlgorithms = SshHostKeyAlgorithm.DSS Or
                         SshHostKeyAlgorithm.RSA

    ' when the server supports both, prefer RSA
    .PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA

    ' only allow AES and Twofish
    .EncryptionAlgorithms = SshEncryptionAlgorithm.AES Or
                            SshEncryptionAlgorithm.Twofish
End With

' connect using the SSH parameters
sftp.Connect(hostname, sftp.DefaultPort)