
	Home > Ask the Security Experts > Questions & Answers > PGP vs. SSL for files sent to FTP site.

Ask The Security Expert: Questions & Answers

EMAIL THIS

PGP vs. SSL for files sent to FTP site.

EXPERT RESPONSE FROM: Jonathan Callas

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 25 February 2002
We have a requirement to receive files (25-40 mb a piece) from a variety of hosts. Currently, time is of the essence. What -- if any -- risk do we take by having the hosts send PGP-encrypted files to an existing FTP site versus building an ad hoc FTP server on an aptiva (200 mhz) running Redhat Linux 7.0 and using SSL?

Digg This!

StumbleUpon

Del.icio.us

RELATED RESOURCES

	2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
	Search Bitpipe.com for the latest white papers and business webcasts
	Whatis.com, the online computer dictionary

None. This is a fine way to do it. I know of an Internet-based financial transaction system that uses precisely this mechanism. When you make a stock trade (for example), the client software makes a PGP message and FTPs it to a directory, where the processing servers decrypt it.

Using PGP has the additional advantage that it uses ZIP (actually called Deflate) compression on your file, which is apt to make it smaller. If you are already compressing the file, you can remove this step from your process.

There are some gotchas you should be aware of:

If you make PGP generate binary (.pgp) output, make sure you FTP it in binary mode. A common mistake is to transfer it in text mode, which may corrupt the file.

If you want to be perfectly safe, you can have PGP generate ascii-armored output (.asc) and send this. However, the ascii-armoring adds 33% to the size of the file. This is often more than made up for by compression. If you are doing this regularly, it's best to iron out the kinks so that you send properly in binary mode.

It's still a good idea to put your PGP files into some inobvious place. If you FTP them to a public directory where an anonymous user could delete them, then you run that risk. When I've done this myself, I create a directory to copy them into that isn't available to anonymous users.

Using PGP as opposed to SSL is different in that you are encrypting the data object, rather than the pipe. Once your file gets to its destination, it's still protected. This is arguably safer, but also arguably less convenient. Some people might argue that it's better to use PGP, but it is certainly not *less* secure than SSL.

I'll also add as one final note that a related, but slightly different strategy would be to PGP-encrypt the files and e-mail them. But you might want to shoot that down because of the size of them. E-mailing 25-40MB files can cause other problems. Because of their size, I think FTP is a fine way to go and better than mailing them.

For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Cryptography, PGP, PKI

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy