You have likely heard of File Transfer Protocol (FTP), File Transfer Protocol over Secure Sockets Layers (FTP/S), and Secure File Transfer Protocol over SSH (SFTP), but did you know that there are some major differences among them? Generally speaking, FTP in its basic form is not secure, FTP/S takes the security up a step in that it allows you to secure all or part of a session (at the cost of speed), and the SFTP protocol is used to ensure that all file transmission will be secure and efficient.
FTP (File Transfer Protocol)
FTP is a very well-established protocol, developed in the 1970s to allow two computers to transfer data over the internet. One computer acts as the server to store information and the other acts as the client to send or request files from the server. The FTP protocol typically uses port 21 as its main means of communication. An FTP server will listen for client connections on port 21.
FTP clients will then connect to the FTP server on port 21 and initiate a conversation. This main connection is called the Control Connection or Command Connection. The FTP client will usually authenticate itself with the FTP server by sending over a username and a password. After authentication, the client and server will typically, through a series of synchronized commands controlled by the Command Connection, negotiate a new common port called the Data Connection over which the file will be transferred. The Control Connection remains idle until the end of this exchange, when it reports that the file transfer has either failed or was completed successfully. The conversation between client and server is performed in plain text—all communication between the two parties is sent unprotected, verbatim, over the internet. This makes FTP very unsecure; it would not be terribly difficult for a third party, such as a Man-in-the-Middle Attacker (MITMA), to steal users’ credentials.
There’s an exception to this rule called One Time Password (OTP), in which the server sends a series of digits to the client server in response to the receipt of the USER command. The client grabs those digits and, using a pre-known algorithm such as ROT13 or MD5, the client will generate a hash of their password along with the series of digits to produce a unique password (used one time, hence the OTP). The client presents this hash to the server, which takes the user’s password, already stored on the server, and uses the same digits. If the hashes of the password match, they are authenticated. This is somewhat more secure because the user’s password does not go over the wire– only a hash of the user’s password– so a MITMA usually can’t reverse engineer the password from the hash.
The need for a Data Connection, and its inherent security loopholes, is a major concern in internet usage today. FTP traditionally requires a block of ports to remain open on either the server firewall or the client firewall to aid with the creation of Data Connections. For security reasons, companies are limiting the number of ports in their publicly facing firewalls and looking for alternate solutions in order to keep ports closed and information secure.
FTP/S (File Transfer Protocol over Secure Sockets Layers)
Along with file transfers, clients will typically request directory information from the server. The format of information in directories is often primitive by today’s standards, and as such, the FTP client is sometimes only able to retrieve a subset of the attributes or properties of files available on the server (for instance, the date the file was last modified, but not the date of the file’s creation).
While generic FTP is not secure, extensions have been added over the years to allow for the securing of FTP conversations—namely, the industry standard 2048 bit Transport Layer Security (TLS), the most upgraded version of the old 1024 bit standard SSL. FTP over SSL (FTP/S, as it’s commonly known) allows for the encryption of both the Control and Data Connections either concurrently or independently. This is important because the negotiation of the SSL connection is time-consuming, and having to do it twice—once for the Data Connection and once for the Control Connection—can be expensive if a client plans to transfer a large number of small files.
FTP/S commonly runs on port 990 and sometimes on port 21, the primary difference being that port 990 is an Implicit FTP/S, and port 21 is an Explicit FTP/S. If a client connects to an FTP/S server on port 990, the assumption is that the client intends to perform SSL. Therefore, the SSL handshake takes place immediately; it is referred to as Implicit because the port number implies security. FTP clients who connect on port 21 and intend to use SSL for security will need to take the extra step to explicitly state their intentions by sending an AUTH SSL or AUTH TLS command to the server. Once the server receives this command, the two parties perform an SSL handshake and enter a secure state—hence why port 21 is referred to as Explicit. This allows the client the opportunity to activate greater security when necessary, or speed the process up on less security-sensitive file transfers.
SFTP (Secure File Transfer Protocol)
SFTP (Secure File Transfer Protocol) is a relatively new protocol developed in the 1990s, which allows for the transfer of files and other data over a connection that has previously been secured using the Secure Shell (SSH) protocol. While similar to FTP/S in that both protocols communicate over a secure connection, that’s basically where the similarities end.
Unlike FTP, the SFTP protocol is packet-based instead of text-based. Where FTP might send a command such as “DELE file.txt,” SFTP would send a binary 0xBC and then “file.txt.” The key difference is that by sending less data, the SFTP protocol is faster over the long-term as less data is crossing the wire.
Another difference is that with SFTP, file transfers are performed in-line over the main Control Connection, thus eliminating the need to open a separate Data Connection for transfers. This has many benefits. First, by re-using the main connection, no other connections are opened between the client and the server, resulting in a single secure, efficient connection through firewalls.
Since SFTP runs over SSH, it is inherently secure. There is no non-secure version—the encryption cannot be triggered or turned off using AUTH commands, as in FTP/S. This is a plus for system administrators who are trying to enforce corporate security policies.
Another difference is that most versions of SFTP are able to deliver a much richer and more detailed set of data about the files, such as the permissions, date, time, size, and other information not normally available to FTP, thanks to the more robust request protocol of the SFTP.
These are the inherent differences in FTP, FTP/S, and SFTP. WebDrive, which is often used as an FTP client, also supports SFTP, FTP/S and other protocols. Titan FTP Server Enterprise Edition supports both FTP and SFTP, and Cornerstone MFT adds significant security features beyond simply securing the file transfer.