You have likely heard of File Transfer Protocol (FTP), File Transfer Protocol over Secure Sockets Layers (FTP/S), and Secure File Transfer Protocol over SSH (SFTP), but did you know that there are some major differences among them? Generally speaking, FTP in its basic form is not secure, FTP/S takes the security up a step in that it allows you to secure all or part of a session (at the cost of speed), and the SFTP protocol is used to ensure that all file transmission will be secure and efficient.
FTP (File Transfer Protocol)
FTP is a very well-established protocol, developed in the 1970s to allow two computers to transfer data over the internet. One computer acts as the
server to store information and the other acts as the
client to send or request files from the server. The FTP protocol typically uses port 21 as its main means of communication. An FTP server will listen for client connections on
port 21.
FTP clients will then connect to the FTP server on port 21 and initiate a conversation. This main connection is called the
Control Connection or
Command Connection. The FTP client will usually authenticate itself with the FTP server by sending over a username and a password. After authentication, the client and server will typically, through a series of synchronized commands controlled by the Command Connection, negotiate a new common port called the
Data Connection over which the file will be transferred. The Control Connection remains idle until the end of this exchange, when it reports that the file transfer has either failed or was completed successfully. The conversation between client and server is performed in plain text—all communication between the two parties is sent unprotected, verbatim, over the internet. This makes FTP very unsecure; it would not be terribly difficult for a third party, such as a
Man-in-the-Middle Attacker(MITMA), to steal users’ credentials.
There’s an exception to this rule called
One Time Password (
OTP), in which the server sends a series of digits to the client server in response to the receipt of the USER command. The client grabs those digits and, using a pre-known algorithm such as ROT13 or MD5, the client will generate a
hash of their password along with the series of digits to produce a unique password (used one time, hence the OTP). The client presents this hash to the server, which takes the user’s password, already stored on the server, and uses the same digits. If the hashes of the password match, they are authenticated. This is somewhat more secure because the user’s password does not go over the wire– only a hash of the user’s password– so a MITMA usually can’t reverse engineer the password from the hash.
The need for a Data Connection, and its inherent security loopholes, is a major concern in internet usage today. FTP traditionally requires a block of ports to remain open on either the server firewall or the client firewall to aid with the creation of Data Connections. For security reasons, companies are limiting the number of ports in their publicly facing firewalls and looking for alternate solutions in order to keep ports closed and information secure.
SFTP (Secure File Transfer Protocol)
SFTP (Secure File Transfer Protocol) is a relatively new protocol developed in the 1990s, which allows for the transfer of files and other data over a connection that has previously been secured using the Secure Shell (SSH) protocol. While similar to FTP/S in that both protocols communicate over a secure connection, that’s basically where the similarities end.
Unlike FTP, the SFTP protocol is packet-based instead of text-based. Where FTP might send a command such as “DELE file.txt,” SFTP would send a binary 0xBC and then “file.txt.” The key difference is that by sending less data, the SFTP protocol is faster over the long-term as less data is crossing the wire.
Another difference is that with SFTP, file transfers are performed in-line over the main Control Connection, thus eliminating the need to open a separate Data Connection for transfers. This has many benefits. First, by re-using the main connection, no other connections are opened between the client and the server, resulting in a single secure, efficient connection through firewalls.
Since SFTP runs over SSH, it is inherently secure. There is no non-secure version—the encryption cannot be triggered or turned off using AUTH commands, as in FTP/S. This is a plus for system administrators who are trying to enforce corporate security policies.
Another difference is that most versions of SFTP are able to deliver a much richer and more detailed set of data about the files, such as the permissions, date, time, size, and other information not normally available to FTP, thanks to the more robust request protocol of the SFTP.