Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Best way to DIRECTLY send files over encrypted connection?
New Posts  All Forums:Forum Nav:

Best way to DIRECTLY send files over encrypted connection? - Page 3

post #21 of 55
Ideally, IPsec VPN w/ AES between endpoints with SFTP on top after you have already encrypted the file with some other mechanism known to be strong (another layer of AES, anyone?).

You would arguably be safe with any of those in singularity by using a strong/long key or certificate.
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
Waiting on X399
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II B57 @ X4 3.9 Gigabyte 790FXTA-UD5 Sapphire Radeon 290 8 GB G.Skill 2133 
Hard DriveCoolingOSKeyboard
250 GB 840 EVO Noctua NH-D14 Windows 10 Logitech K350 
PowerCaseMouseMouse Pad
Seasonic x750 Corsair 600T Logitech G100s Razer Goliathus Speed 
Audio
Plantronics Gamecom 788 
  hide details  
Reply
post #22 of 55
Private tracker and breaking the file into bits using 256bit hashes, and let them torrent over vpn. thumb.gif
MSI EX625
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core 2 Duo P7350 MSI MS-1674 ATI Radeon HD Mobility 4670 4GB 
Hard DriveOptical DriveOSMonitor
Samsung 320GB Sony CD/DVD writer Windows 7 Home 64-bit 16" 1366x768 
  hide details  
Reply
MSI EX625
(13 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core 2 Duo P7350 MSI MS-1674 ATI Radeon HD Mobility 4670 4GB 
Hard DriveOptical DriveOSMonitor
Samsung 320GB Sony CD/DVD writer Windows 7 Home 64-bit 16" 1366x768 
  hide details  
Reply
post #23 of 55
Thread Starter 
Quote:
Originally Posted by beers View Post

Ideally, IPsec VPN w/ AES between endpoints with SFTP on top after you have already encrypted the file with some other mechanism known to be strong (another layer of AES, anyone?).
You would arguably be safe with any of those in singularity by using a strong/long key or certificate.

This seems to be the best option for what I am looking to do. I think that SFTP is preferable over using a tracker. A tracker removes the need to enter the server's ip, username, and password, which is nice, but it is also a one way deal. SFTP is a more complete system for sending things back and forth all the time. Also, getting a tracker to someone securely for each file is a recurring problem - where as with sftp i can tell them codes over the phone one time and be done.

I have setup an SFTP server and client. I have set user names and passwords and directories. My ip is dynamic so the settings will need to change sometimes.

A few more questions:

SFTP:

1. Is there any way to track what my ip changes to dynamically from a location other than home?

2. I have around ~1MBps upload speed at home, why do my files only upload at 1/10th MBps? How can I speed this up?

3. I have the option to set passwords for my SFTP server AND/OR use some kind of public/private key file? Should I be using a keyfile? How does this even work?

4. To even setup my SFTP server I had to place my computer into a DMZ. Apparently my computer's internal network IP is now the same as my external worldwide IP. I'm not sure what this does etc etc. Should I be using port forwarding instead? Is using a DMZ a security risk?

VPN:

5. VPN's. Can anyone provide me with any information as to how to properly set one of these up?
Edited by FEAST - 4/14/12 at 4:04pm
Nightfire
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 3770k @ 4.6ghz @ 1.31v - LOAD: 57deg C ASUS Maximus V Z77 4 x 7750 Passive (up to 12 monitors) 32gb G-Skill Ripjaws X 
Hard DriveHard DriveHard DriveCooling
2 x OCZ Revodrive Raid1 2 x Samsung 840 Evo Raid1 4 x 3TB Seagate Raid1 Gel Mount D5 w/ Koolance Top on controller, Pas... 
OSMonitorKeyboardPower
Windows 8 & (OSX VMware) 2 x Yamakasi Catleap + 2 x Dell U2312 Razer Blackwidow Ultimate Corsair AX850 (Wish it was a Seasonic) 
CaseAudio
Silvestone RV-02 Cambridge Audio DAC 
  hide details  
Reply
Nightfire
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 3770k @ 4.6ghz @ 1.31v - LOAD: 57deg C ASUS Maximus V Z77 4 x 7750 Passive (up to 12 monitors) 32gb G-Skill Ripjaws X 
Hard DriveHard DriveHard DriveCooling
2 x OCZ Revodrive Raid1 2 x Samsung 840 Evo Raid1 4 x 3TB Seagate Raid1 Gel Mount D5 w/ Koolance Top on controller, Pas... 
OSMonitorKeyboardPower
Windows 8 & (OSX VMware) 2 x Yamakasi Catleap + 2 x Dell U2312 Razer Blackwidow Ultimate Corsair AX850 (Wish it was a Seasonic) 
CaseAudio
Silvestone RV-02 Cambridge Audio DAC 
  hide details  
Reply
post #24 of 55
get around the dynamic ness by using a dynadns biggrin.gif

the upload speed sounds about right im afraid the only way is by contacting your isp

The keyfiles are ment to be more secure, they work by the server has the private key and with which it gennerates a key to put on the client, this means you need the sert to get in, the cert is password protected, and you MUST make sure no one gets the servers key, p assword will be fine, just lock down then remote end with a firewall/local range

The way your router has done a dmz is just port forward ALL ports to this one server, make sure you get a firewall on that baby to stop random scanners

annnddd ping
http://www.informit.com/articles/article.aspx?p=605499
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #25 of 55
Thread Starter 
Quote:
Originally Posted by Ulquiorra View Post

get around the dynamic ness by using a dynadns biggrin.gif
the upload speed sounds about right im afraid the only way is by contacting your isp
The keyfiles are ment to be more secure, they work by the server has the private key and with which it gennerates a key to put on the client, this means you need the sert to get in, the cert is password protected, and you MUST make sure no one gets the servers key, p assword will be fine, just lock down then remote end with a firewall/local range
The way your router has done a dmz is just port forward ALL ports to this one server, make sure you get a firewall on that baby to stop random scanners
annnddd ping
http://www.informit.com/articles/article.aspx?p=605499

So, my ISP is throttling my bandwidth? Would encrypting via VPN and using random ports make it so that they could not throttle me? When I do a speedtest I get ~1MBps upload....so maybe if I used the speedtest ports?

So I SHOULD be using keyfiles yes?

I should note that I don't really have the ability to change my clients firewall settings etc - but at my server I can do literally anything I want. I have a hardware firewall, and zone alarm as a software firewall, I just don't know what settings to use exactly - how to stop scanners etc.

If I use keyfiles, a password will still be required yes? Just an extra layer of security? I think my SFTP server might automatically use keys? (when I logon from my client it asks me to allow/deny a key of some sort) - then there are options for "public keys".

Lol I am so confused.

Also, if all my ports are being forwarded to my main computer...how can other devices operate on the network?

Server host key creation? (not currently being used)

516

Server account authentication something? (not currently being used)

516

Client side key selection (Open Connection in main window >> Use Public Key Authentication checkbox >> browser to find and select key)

375
Edited by FEAST - 4/14/12 at 5:22pm
Nightfire
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 3770k @ 4.6ghz @ 1.31v - LOAD: 57deg C ASUS Maximus V Z77 4 x 7750 Passive (up to 12 monitors) 32gb G-Skill Ripjaws X 
Hard DriveHard DriveHard DriveCooling
2 x OCZ Revodrive Raid1 2 x Samsung 840 Evo Raid1 4 x 3TB Seagate Raid1 Gel Mount D5 w/ Koolance Top on controller, Pas... 
OSMonitorKeyboardPower
Windows 8 & (OSX VMware) 2 x Yamakasi Catleap + 2 x Dell U2312 Razer Blackwidow Ultimate Corsair AX850 (Wish it was a Seasonic) 
CaseAudio
Silvestone RV-02 Cambridge Audio DAC 
  hide details  
Reply
Nightfire
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 3770k @ 4.6ghz @ 1.31v - LOAD: 57deg C ASUS Maximus V Z77 4 x 7750 Passive (up to 12 monitors) 32gb G-Skill Ripjaws X 
Hard DriveHard DriveHard DriveCooling
2 x OCZ Revodrive Raid1 2 x Samsung 840 Evo Raid1 4 x 3TB Seagate Raid1 Gel Mount D5 w/ Koolance Top on controller, Pas... 
OSMonitorKeyboardPower
Windows 8 & (OSX VMware) 2 x Yamakasi Catleap + 2 x Dell U2312 Razer Blackwidow Ultimate Corsair AX850 (Wish it was a Seasonic) 
CaseAudio
Silvestone RV-02 Cambridge Audio DAC 
  hide details  
Reply
post #26 of 55
thats okay its very confusig ^_^


Alot of ISP's have a very low upload rate, a symetric connections with it all coming toward you and non going out, it makes it cheaper for them, i think on my 30 meg package i get 512 upload .. ¬_¬

So I SHOULD be using keyfiles yes?
It's good practis to, however if you dont have access to the clients machines then it can prove impractile in the long run, most of the time people want a plug n play enviroment which can be done with just strong passwords (A-Z-0-9!"£$%&*())

I should note that I don't really have the ability to change my clients firewall settings etc - but at my server I can do literally anything I want. I have a hardware firewall, and zone alarm as a software firewall, I just don't know what settings to use exactly - how to stop scanners etc.
~~~~~
Well on the hardware firewall you will want to block everything in by defualt, you only then open in what you need to, so port 22 in from your clients IP for sftps and if you need anything else in such as http (80) or https (443). There are alot of scanners out there, and to be honest most come from chinease/russain addresses (its true >_<)

If I use keyfiles, a password will still be required yes? Just an extra layer of security? I think my SFTP server might automatically use keys? (when I logon from my client it asks me to allow/deny a key of some sort) - then there are options for "public keys".
~~~~~~~
The keys that its kelling you about is probly a long number like 10:e3:3f:et:e or just 10e33fett (but much longer) are the fingerprints of your SSH server, when you connect for the first time the server sends its key to you so you can save it (its in ~/.ssh/known_hosts in linux). This is a method to make sure you are connecting to the right server, if someone re directs traffic to another server then the host key wont match when you connect and it will either force you to stop or warn you

The public keys are the way of logging in without passwords (apart from the pasword to get to the public key). You need to generate the private public key on the server.


Also, if all my ports are being forwarded to my main computer...how can other devices operate on the network?
~~~~~~~
Its only for incoming connections, con tracker takes care of that and makes sure things form you go to you, the way i mentiond is only one way of doing it, you could have also set it up by giving it a sepperate net mask to the rest of your netowk and then use firewall to forward traffic around. All a DMZ is is a computer that is "potentaily unclean" which you want sepperating from the main netowork in case it gets breached, anything internet facing should go in a dmz.


Hope i can help a bit smile.gif (ps sorry for the terrible spelling + grammer its late TT_TT)
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
Escobar
(9 items)
 
Supercomputer ^_^
(13 items)
 
 
CPUMotherboardGraphicsRAM
1055T M4A88T-D EVO USB3 ATI 6850 4 GB 
Optical DriveOSMonitorKeyboard
DVD RW Windows 8 Pro lp1900 + 2 X 15 inch dell Microsoft Comfort Curve 
PowerCase
600watt thermaltake antec 200 
  hide details  
Reply
post #27 of 55
Quote:
Originally Posted by kyismaster View Post

Not even, I always Encrypt my files with 8192 AES :T ,
If that isn't enough the pass key is 256 bit.... Yes I memorized a 256 bit key by heart. lols. so no copies.
Centos allows for easy 8192 bit encryption, obviously its gonna take aloooong time to generate/decrypt the key but, its worth it.

Don't know what you're talking about. AES's max key size is 256 bits. You seem to be confusing asymmetric and symmetric encryption. AES is a symmetric cipher. Asymmetric ciphers generally have larger keylengths. Still, though, 8192 is too large and really pointless even for something like RSA.
Quote:
Originally Posted by beers View Post

Ideally, IPsec VPN w/ AES between endpoints with SFTP on top after you have already encrypted the file with some other mechanism known to be strong (another layer of AES, anyone?).
You would arguably be safe with any of those in singularity by using a strong/long key or certificate.

That's silly. Multiple encryption offers no extra protection. No adversary is going to be able to decrypt an AES-128 file as long as the password is of equivalent strength (128 bits of entropy). If you're using SSH or something of the sort there is no need to really encrypt the file before transfer anyway.

OP: Just encrypt the file with PGP/GnuPG and then email it to your contact. Pretty simple really. Or if you need a continuous connection, just use SSH.

EDIT:

Wow, as I continue to read this thread I see just how clueless the public is about encryption. First of all Bitlocker has not been "broken." It suffers from the same flaw EVERY disk encryption program does: it is susceptible to cold boot attacks. These attacks only matter if an adversary has physical access to your machine and is able to read the key from memory. There is no way to protect from this other than physically securing your machine. Truecrypt suffers from this same problem. The only time encrypted data is safe on your machine is when the machine is powered off.

Second, all these people saying to encrypt a file 3 times with AES have no idea what they're talking about. One time is enough. Why? Because if someone can break AES, they can break it three times as easily as one. (No one can break AES itself). If you use AES you can be assured 100% no one is going to read that traffic as long as you do everything properly and use strong passphrases, etc. If the NSA is your adversary, then you cannot be 100% sure of anything, but it's doubtful even they can read AES traffic.
Edited by thiussat - 4/18/12 at 6:31am
Skylake Build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5-6600k Gigabyte Z-170 Gaming 7 Gigabyte R9 390  Gskill Ripjaws V DDR4 
Hard DriveCoolingOSMonitor
Samsung 850 Evo Corsair H115i Windows 10 Pro Asus  
KeyboardPowerCaseMouse
Generic EVGA NEX750 G1 Phanteks Eclipse P400 GSkill MX780 
  hide details  
Reply
Skylake Build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5-6600k Gigabyte Z-170 Gaming 7 Gigabyte R9 390  Gskill Ripjaws V DDR4 
Hard DriveCoolingOSMonitor
Samsung 850 Evo Corsair H115i Windows 10 Pro Asus  
KeyboardPowerCaseMouse
Generic EVGA NEX750 G1 Phanteks Eclipse P400 GSkill MX780 
  hide details  
Reply
post #28 of 55
Thread Starter 
Network encryption:

Wouldn't the point of using 3 layers of encryption be to ensure that no one intercepts the keys? Because, no one should be able to actually decrypt it - the main vulnerability would be someone getting a hold of you sftp server keyfile - or getting a hold of your vpn key, or your local encryption key. All of these keys could potentially be intercepted, or engineered out of someone, yes?

I do need a continuous connection - and am currently using SSH/SFTP. It is very convenient, however it is only using 1/7th of my maximum upload speed (according to speedtest.net).

Drive encryption:

As for bitlocker. You are vulnerable if they have access to your mobo/stored key...is there any way to store your key on say a USB drive and require a 4-digit pin? So that you aren't really vulnerable? Also, preferably 2 usb drives - in case I lose one?

Software encryption:

I use software encryption on the files I use to store my passwords in. Usual an excel spreadsheet. I use excel's password feature. Is this secure? Is truecrypt/PGP/GnuPG better/more convenient...?

The thing that really sucks about software encryption is the cleanup. Windows loves to cache and store recently opened data, indexing, etc etc. Also, disk cleanup programs have ERASED encrypted files of mine in the past....

Side note:

If encryption works so good how come people put their drives on thermite? Lol...
Nightfire
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 3770k @ 4.6ghz @ 1.31v - LOAD: 57deg C ASUS Maximus V Z77 4 x 7750 Passive (up to 12 monitors) 32gb G-Skill Ripjaws X 
Hard DriveHard DriveHard DriveCooling
2 x OCZ Revodrive Raid1 2 x Samsung 840 Evo Raid1 4 x 3TB Seagate Raid1 Gel Mount D5 w/ Koolance Top on controller, Pas... 
OSMonitorKeyboardPower
Windows 8 & (OSX VMware) 2 x Yamakasi Catleap + 2 x Dell U2312 Razer Blackwidow Ultimate Corsair AX850 (Wish it was a Seasonic) 
CaseAudio
Silvestone RV-02 Cambridge Audio DAC 
  hide details  
Reply
Nightfire
(17 items)
 
  
CPUMotherboardGraphicsRAM
Intel i7 3770k @ 4.6ghz @ 1.31v - LOAD: 57deg C ASUS Maximus V Z77 4 x 7750 Passive (up to 12 monitors) 32gb G-Skill Ripjaws X 
Hard DriveHard DriveHard DriveCooling
2 x OCZ Revodrive Raid1 2 x Samsung 840 Evo Raid1 4 x 3TB Seagate Raid1 Gel Mount D5 w/ Koolance Top on controller, Pas... 
OSMonitorKeyboardPower
Windows 8 & (OSX VMware) 2 x Yamakasi Catleap + 2 x Dell U2312 Razer Blackwidow Ultimate Corsair AX850 (Wish it was a Seasonic) 
CaseAudio
Silvestone RV-02 Cambridge Audio DAC 
  hide details  
Reply
post #29 of 55
Waste?
post #30 of 55
Quote:
Originally Posted by FEAST View Post

Network encryption:
Wouldn't the point of using 3 layers of encryption be to ensure that no one intercepts the keys?

No, because the key is kept on your end. In the case of ssh, you use a keypair. One of them is a public key meaning anyone can have it and it doesn't matter. The other half is the private key and is kept on your end. This is the key that should be well guarded by a strong password. You should really do some reading on public key crypto so you understand how it works. It's not hard to understand, but it's important that anyone who uses public-key crypto (RSA/DSA keys usually) understands what they're doing and why things are done the way they are. Knowledge is power in crypto.

One important thing to remember is never to try to come up with your own solutions. You are not an expert. Crypto is a VERY complicated field full of high level mathematics and lots of software intricacies. Leave it to the professionals to come up with the solutions. PGP/GnuPG, SSH, etc are professionally written and should be relied on as they are.
Quote:
the main vulnerability would be someone getting a hold of you sftp server keyfile - or getting a hold of your vpn key, or your local encryption key. All of these keys could potentially be intercepted, or engineered out of someone, yes?

You should be using a password along with a keyfile really. That way even if someone has physical access to your machine they can't compromise your private keys (the private key itself is encrypted with a symmetric cipher. The key to that cipher is a password. If the private key is not encrypted, it is there for anyone to take). A lot of SSH users are lazy and do not encrypt their private key because they are too lazy to enter the password every time. This means anyone who can hack their machine can have the keys to the kingdom.
Quote:
I do need a continuous connection - and am currently using SSH/SFTP.

Use one or the other. No need to use both. I fail to see what that accomplishes. SSH really works just like e-mail encryption -- it uses a public/private keypair. The private key is what you should be protecting.
Quote:
As for bitlocker. You are vulnerable if they have access to your mobo/stored key...is there any way to store your key on say a USB drive and require a 4-digit pin? So that you aren't really vulnerable? Also, preferably 2 usb drives - in case I lose one?

Any disk encryption program can be compromised if an attacker has physical access to your machine. He can install a keylogger to catch keystrokes. Or he can perform the "evil maid attack" which means he compromises your bootloader and installs a fake bootloader which captures your pre-boot passphrase to unlock the drive. Or, let's say you leave your machine on and leave it. In that case he can perform a cold boot attack, which means he simply takes the key from your RAM. Bruce Schneier (one of the foremost crypto experts) gives a good overview of these attacks here, and discusses possible preventative measures. Basically the only way to prevent this is if your machine has a TPM chip. However, even those chips have been hacked already (though hacking them is much harder than the other attacks).

Bottom line: The only time drive encryption is safe is when the machine is powered off completely. And even then you must ensure no one has been physically tampering with your machine over a period of time while it was booted.
Quote:
Software encryption:
I use software encryption on the files I use to store my passwords in. Usual an excel spreadsheet. I use excel's password feature. Is this secure?

You're much better off using software designed for this purpose. Keepass is probably the best. It does basically what you're doing but automates it and makes things much easier to manage. it is also open-source and free to use for no charge.
Quote:
The thing that really sucks about software encryption is the cleanup. Windows loves to cache and store recently opened data, indexing, etc etc. Also, disk cleanup programs have ERASED encrypted files of mine in the past....

Yes, if you are only encrypting individual files/folders, then you always run the risk of the unencrypted versions of those files being stored somewhere in plaintext (say a swap file or temporary file for instance). It is a problem. The best way to stop that is to encrypt the ENTIRE operating system. Bitlocker and trucerypt can both do this. But even then you must ensure physical security of your machine as I explained above.
Quote:
Side note:
If encryption works so good how come people put their drives on thermite? Lol...

Because most people are ignorant of how things really work, so they just take the most paranoid measures. In reality there is no need to physically destroy a drive. One pass of random data scrubbing will make any data completely irretrievable. This is a fact no matter what the paranoid people tell you.
Edited by thiussat - 4/18/12 at 7:21pm
Skylake Build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5-6600k Gigabyte Z-170 Gaming 7 Gigabyte R9 390  Gskill Ripjaws V DDR4 
Hard DriveCoolingOSMonitor
Samsung 850 Evo Corsair H115i Windows 10 Pro Asus  
KeyboardPowerCaseMouse
Generic EVGA NEX750 G1 Phanteks Eclipse P400 GSkill MX780 
  hide details  
Reply
Skylake Build
(12 items)
 
  
CPUMotherboardGraphicsRAM
Intel Core i5-6600k Gigabyte Z-170 Gaming 7 Gigabyte R9 390  Gskill Ripjaws V DDR4 
Hard DriveCoolingOSMonitor
Samsung 850 Evo Corsair H115i Windows 10 Pro Asus  
KeyboardPowerCaseMouse
Generic EVGA NEX750 G1 Phanteks Eclipse P400 GSkill MX780 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Best way to DIRECTLY send files over encrypted connection?