Ever had to provide a copy of a confidential file to another organization? Have you ever used some encryption program like PGP (Pretty Good Privacy) and then emailed the file? What if the file was larger than is allowed for email and what if the only option you have is FTP? What to do you do then?
PGP stands for Pretty Good Privacy. It gives its users the ability to ensure privacy or confidentiality through encryption and authenticity and credibility through digital signatures. It was created by Phil Zimmerman back in the early 1990s.
Users of PGP create two keys--private and public. The public key is distributed freely through key distribution services on the Internet, or can simply be sent (via email or various other electronic means) to the person or persons who you intend to send information to you. The private key is just that, private to the user that owns it.
In order to have privacy or confidentiality so that information transmitted is only seen by the intended recipient, the sender can use PGP to encrypt their information using the receiver's public key. Only the person who has the corresponding private key will be able to decrypt the information.
In order to let the receiver know that the information really came from a person who they claim to be, the sender can use PGP to digitally sign the information with their private key. The receiver will need to have the sender’s public key ahead of time. When the information is received, PGP can determine using the sender's public key if in fact the information came from the expected sender. Both encryption and digital signature capability give PGP the privacy and authenticity capability.
FTP (http://en.wikipedia.org/wiki/FTP) or file transfer protocol is a standard network protocol used to copy a file from a serving host (server) to a receiving host (client).
Although it is known for its utility, it isn’t known for providing a secure facility for serving files. Why? Because it wasn't designed to be secure. If you were to put a network packet sniffer in the path between the FTP server and the FTP client, you will see that the authentication exchange is in the clear, i.e. you can read the account name and password used to access the FTP service.
Thus, if you were to simply place a large confidential document at the FTP site, someone with the strong intent to steal that information can easily do so. It doesn't matter if they don't know the login credentials; they can simply capture it on the wire (or wireless network).
PGP and FTP Combined
In order to give someone access to large confidential files that exceed email size restrictions, one can serve them using an FTP site. This may not sound right after reading the section above on FTP, but if FTP is the only option you have, it will serve its purpose if you combine it with PGP to encrypt and digitally sign the file.
Specifically, this is how you would combine PGP and FTP to provide a relatively secure and credible means of giving others access rights to one or more confidential files:
- Make sure your FTP server allows for anonymous login with READ ONLY access
- Use PGP to encrypt and sign the files you wish to share, and make sure the people receiving the data have your public key
- Upload the encrypted and signed files to the FTP server
- Let your contact know that the files are ready
This approach gets over the limitations inherent within FTP, providing privacy and authenticity on an FTP site that can't be achieved with FTP alone.