|
|
On 5/5/2011 9:37, Warp wrote:
> Invisible<voi### [at] devnull> wrote:
>> A company that requires you to send files to them electronically using
>> SFTP, requires that it uses public key authentication, and emails you
>> the private key that you're supposed to use, unencrypted.
>
> I thought the private key can only be used to decrypt, not to encrypt.
It depends on the algorithm. RSA can go either way. Otherwise, you wouldn't
be able to sign and encrypt with the same key.
In either case, sending the "private" key over cleartext and then using it
for authentication is just as broken as sending your password in cleartext.
Moreso, because you'd think someone smart enough to use encryption for
authentication would be smart enough to know that's not how you do it.
--
Darren New, San Diego CA, USA (PST)
"Coding without comments is like
driving without turn signals."
Post a reply to this message
|
|