Ftps (ftp Over Ssl) Vs. Sftp (ssh File Transfer Protocol): What to Choose

<h1>Ftps (ftp Over Ssl) Vs. Sftp (ssh File Transfer Protocol): What to Choose</h1>Author: <a title="Eugene Mayevski" href="http://www.articlesbase.com/authors/eugene-mayevski/35568.htm">Eugene Mayevski</a> File transfer over the network using FTP protocol (defined by RFC 959 and later additions) takes roots in year 1980, when the first RFC for FTP protocol was published. FTP provides functions to upload, download and delete files, create and delete directories, read directory contents. While FTP is very popular, it has certain disadvantages that make it harder to use. The major drawbacks are lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it's not supported by some servers) and presence of the secondary connection (DATA connection). Security in FTP is provided by employing SSL/TLS protocol for channel encryption as defined in RFC 2228. The secured version of FTP is called FTPS.

In UNIX systems another security standard has grown. It was SSH family of protocols. The primary function of SSH was to secure remote shell access to UNIX systems. Later SSH was extended with file transfer protocol - first SCP (in SSH 1.x), then SFTP (in SSH2). Version 1 of the SSH protocol is outdated, insecure and generally not recommended for use. Consequently SCP is not used anymore and SFTP gains popularity day by day.

"SFTP" abbreviation is often mistakenly used to specify some kind of Secure FTP, by which people most often mean FTPS. Another (similar) mistake is that SFTP is thought to be some kind of FTP over SSL. In fact SFTP is an abbreviation of "SSH File Transfer Protocol". This is not FTP over SSL and not FTP over SSH (which is also technically possible, but very rare).

SFTP is a binary protocol, the latest version of which is standardized in RFC 4253. All commands (requests) are packed to binary messages and sent to the server, which replies with binary reply packets. In later versions SFTP has been extended to provide not just file upload/download operations, but also some file-system operations, such as file lock, symbolic link creation etc.

Both FTPS and SFTP use a combination of asymmetric algorithm (RSA, DSA), symmetric algorithm (DES/3DES, AES, Twhofish etc.) and a key-exchange algorithm. For authentication FTPS (or, to be more precise, SSL/TLS protocol under FTP) uses X.509 certificates, while SFTP (SSH protocol) uses SSH keys.

X.509 certificates include the public key and certain information about the certificate owner. This information lets the other side verify the integrity of the certificate itself and authenticity of the certificate owner. Verification can be done both by computer and to some extent by the human. X.509 certificate has an associated private key, which is usually stored separately from the certificate for security reasons.

SSH key contains only a public key (the associated private key is stored separately). It doesn't contain any information about the owner of the key. Neither it contains information that lets one reliably validate the integrity and authenticity. Some SSH software implementations use X.509 certificates for authentication, but in fact they don't validate the whole certificate chain - only the public key is used (which makes such authentication incomplete and similar to SSH key authentication).

Here's the brief list of Pros and Cons of the two protocols:

FTPS

Pros:

Widely known and used

The communication can be read and understood by the human

Provides services for server-to-server file transfer

SSL/TLS has good authentication mechanisms (X.509 certificate features)

FTP and SSL/TLS support is built into many internet communication frameworks.

Cons:

Doesn't have a uniform directory listing format

Requires a secondary DATA channel, which makes it hard to use behind the firewalls

Doesn't define a standard for file name character sets (encodings)

Not all FTP servers support SSL/TLS

Doesn't have a standard way to get and change file and directory attributes

SFTP

Pros:

Has good standards background which strictly defines most (if not all) aspects of operations

Has only one connection (no need for DATA connection)

The connection is always secured

The directory listing is uniform and machine-readable

The protocol includes operations for permission and attribute manipulation, file locking and more functionality

Cons:

The communication is binary and can't be logged "as is" for human reading

SSH keys are harder to manage and validate

The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors.

No server-to-server copy and recursive directory removal operations

No built-in SSH/SFTP support in VCL and .NET frameworks

What to choose

As usually, the answer depends on what your goals and requirements are. In general, SFTP is technologically superior to FTPS. Of course, it's a good idea to implement support for both protocols, but they are different in concepts, in supported commands and in many other things.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices (smartphones, PDAs etc.) or from some specific operating systems which have FTP support but don't have SSH / SFTP clients. If you are building a custom security solution, SFTP is probably the better option.

As for the client side, the requirements are defined by the server(s) that you plan to connect to. When connecting to Internet servers, SFTP is more popular because it's supported by Linux and UNIX servers by default.

For private host-to-host transfer you can use both SFTP and FTPS. For FTPS you would need to search for a free FTPS client and server software or purchase a license for commercial one. For SFTP support you can install OpenSSH package, which provides free client and server software.

Developer tools

If you are a software developer and need to implement file transfer capability in your application, you will be searching for the components to do the job.

In .NET you have built-in support for FTPS in .NET Framework (see FtpWebRequest class). However functionality of this class is severely limited, especially in SSL/TLS control aspect.

.NET Framework doesn't include any support for SSH or SFTP.

In VCL you have a selection of free components and libraries which provide FTP functionality. When you add OpenSSL to them, you can get FTPS for free. If you don't want to deal with OpenSSL DLLs, you can use one of the commercially available libraries for SSL and FTPS support. Again, there are no freeware SFTP components available for VCL.

If you use a tool with which you have to use ActiveX controls, you need to search for commercial FTPS or SFTP controls. No free controls are available.

SecureBlackbox library provides both FTPS and SFTP support for .NET, VCL and ActiveX technologies.

About the Author: Eugene Mayevski takes a post of Chief Technical Officer in <a href="http://www.eldos.com/">EldoS Corporation</a> (<a href="http://www.eldos.com)," target="_blank">www.eldos.com),</a> the company that specializes in development of security and low-level system components for software developers. 
<a href="http://www.eldos.com/SecureBlackbox/">SecureBlackbox</a> (<a href="http://www.SecureBlackbox.com)" target="_blank">www.SecureBlackbox.com)</a> is the product of EldoS Corporation that provides <a href="http://www.eldos.com/sbb/secure-file-transfer.php">SFTP and FTPS support for .NET and VCL</a> frameworks.Article Source: <a href="http://www.articlesbase.com/">ArticlesBase.com</a> - <a href="http://www.articlesbase.com/security-articles/ftps-ftp-over-ssl-vs-sftp-ssh-file-transfer-protocol-what-to-choose-235545.html" title="Ftps (ftp Over Ssl) Vs. Sftp (ssh File Transfer Protocol): What to Choose">Ftps (ftp Over Ssl) Vs. Sftp (ssh File Transfer Protocol): What to Choose</a>

File transfer over the network using FTP protocol (defined by RFC 959 and later additions) takes roots in year 1980, when the first RFC for FTP protocol was published. FTP provides functions to upload, download and delete files, create and delete directories, read directory contents. While FTP is very popular, it has certain disadvantages that make it harder to use. The major drawbacks are lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it's not supported by some servers) and presence of the secondary connection (DATA connection). Security in FTP is provided by employing SSL/TLS protocol for channel encryption as defined in RFC 2228. The secured version of FTP is called FTPS.

In UNIX systems another security standard has grown. It was SSH family of protocols. The primary function of SSH was to secure remote shell access to UNIX systems. Later SSH was extended with file transfer protocol - first SCP (in SSH 1.x), then SFTP (in SSH2). Version 1 of the SSH protocol is outdated, insecure and generally not recommended for use. Consequently SCP is not used anymore and SFTP gains popularity day by day.

"SFTP" abbreviation is often mistakenly used to specify some kind of Secure FTP, by which people most often mean FTPS. Another (similar) mistake is that SFTP is thought to be some kind of FTP over SSL. In fact SFTP is an abbreviation of "SSH File Transfer Protocol". This is not FTP over SSL and not FTP over SSH (which is also technically possible, but very rare).

SFTP is a binary protocol, the latest version of which is standardized in RFC 4253. All commands (requests) are packed to binary messages and sent to the server, which replies with binary reply packets. In later versions SFTP has been extended to provide not just file upload/download operations, but also some file-system operations, such as file lock, symbolic link creation etc.

Both FTPS and SFTP use a combination of asymmetric algorithm (RSA, DSA), symmetric algorithm (DES/3DES, AES, Twhofish etc.) and a key-exchange algorithm. For authentication FTPS (or, to be more precise, SSL/TLS protocol under FTP) uses X.509 certificates, while SFTP (SSH protocol) uses SSH keys.

X.509 certificates include the public key and certain information about the certificate owner. This information lets the other side verify the integrity of the certificate itself and authenticity of the certificate owner. Verification can be done both by computer and to some extent by the human. X.509 certificate has an associated private key, which is usually stored separately from the certificate for security reasons.

SSH key contains only a public key (the associated private key is stored separately). It doesn't contain any information about the owner of the key. Neither it contains information that lets one reliably validate the integrity and authenticity. Some SSH software implementations use X.509 certificates for authentication, but in fact they don't validate the whole certificate chain - only the public key is used (which makes such authentication incomplete and similar to SSH key authentication).

Here's the brief list of Pros and Cons of the two protocols:

FTPS

Pros:
Widely known and used
The communication can be read and understood by the human
Provides services for server-to-server file transfer
SSL/TLS has good authentication mechanisms (X.509 certificate features)
FTP and SSL/TLS support is built into many internet communication frameworks.

Cons:
Doesn't have a uniform directory listing format
Requires a secondary DATA channel, which makes it hard to use behind the firewalls
Doesn't define a standard for file name character sets (encodings)
Not all FTP servers support SSL/TLS
Doesn't have a standard way to get and change file and directory attributes

SFTP

Pros:
Has good standards background which strictly defines most (if not all) aspects of operations
Has only one connection (no need for DATA connection)
The connection is always secured
The directory listing is uniform and machine-readable
The protocol includes operations for permission and attribute manipulation, file locking and more functionality

Cons:
The communication is binary and can't be logged "as is" for human reading
SSH keys are harder to manage and validate
The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors.
No server-to-server copy and recursive directory removal operations
No built-in SSH/SFTP support in VCL and .NET frameworks

What to choose

As usually, the answer depends on what your goals and requirements are. In general, SFTP is technologically superior to FTPS. Of course, it's a good idea to implement support for both protocols, but they are different in concepts, in supported commands and in many other things.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices (smartphones, PDAs etc.) or from some specific operating systems which have FTP support but don't have SSH / SFTP clients. If you are building a custom security solution, SFTP is probably the better option.

As for the client side, the requirements are defined by the server(s) that you plan to connect to. When connecting to Internet servers, SFTP is more popular because it's supported by Linux and UNIX servers by default.

For private host-to-host transfer you can use both SFTP and FTPS. For FTPS you would need to search for a free FTPS client and server software or purchase a license for commercial one. For SFTP support you can install OpenSSH package, which provides free client and server software.

Developer tools

If you are a software developer and need to implement file transfer capability in your application, you will be searching for the components to do the job.

In .NET you have built-in support for FTPS in .NET Framework (see FtpWebRequest class). However functionality of this class is severely limited, especially in SSL/TLS control aspect.
.NET Framework doesn't include any support for SSH or SFTP.

In VCL you have a selection of free components and libraries which provide FTP functionality. When you add OpenSSL to them, you can get FTPS for free. If you don't want to deal with OpenSSL DLLs, you can use one of the commercially available libraries for SSL and FTPS support. Again, there are no freeware SFTP components available for VCL.

If you use a tool with which you have to use ActiveX controls, you need to search for commercial FTPS or SFTP controls. No free controls are available.

SecureBlackbox library provides both FTPS and SFTP support for .NET, VCL and ActiveX technologies.

Eugene Mayevski takes a post of Chief Technical Officer in EldoS Corporation (www.eldos.com), the company that specializes in development of security and low-level system components for software developers.
SecureBlackbox (www.SecureBlackbox.com) is the product of EldoS Corporation that provides SFTP and FTPS support for .NET and VCL frameworks.

Rate this Article:

5 / 5 stars - 1 vote(s)

Re-Publish

Article Source: http://www.articlesbase.com/security-articles/ftps-ftp-over-ssl-vs-sftp-ssh-file-transfer-protocol-what-to-choose-235545.html

Article Tags: FTP, Component, Control, Library, Ssh, Ssl, Net, Sftp, Ftps, Vcl

Related Articles
Related Q&A

Latest Security Articles
More from Eugene Mayevski

TCP/IP Exploit Countermeasures

By: Steven James | 23/12/2009
Increasingly, offenders and network intruders are using highly advanced tools and techniques to facilitate their offenses and evade apprehension, inventing new challenges for law enforcement, security professionals and computer forensic examiners. However, a TCP packet is a data structure comprising of a sequence number, an acknowledgement number for connecting the packets of a communication session, flags, source and destination port numbers.

The most recommended Spyware Protection in 2009

By: topsofts | 23/12/2009
Spyware Doctor is one of the best-known spyware removal tools on the market. The program protects your system through real-time blocking, spyware scanning, and immunization against infections. The real-time scanner continuously monitors your memory and the web pages you visit. Spyware Doctor also monitors files, which try to run automatically on your system, and protects your system from security flaws. Whenever it detects a possible infection, it displays a dialog, allowing you to block the threat.

Ten Top Anti-Virus Software Reviews on Topsofts.com

By: topsofts | 23/12/2009
Topsofts.com has reviewed ten top Anti-virus Software and the champion is Kaspersky Anti-Virus.

KeepCop: Don't Depend On This Rogue To Keep Your PC Safe!

By: Carl Haugen | 23/12/2009
KeepCop sounds like the security police for your PC, doesn't it? It is actually a rogue security program that is designed to steal your money. How? Through incessant security alerts and fake system notifications, the makers of this product hope to scare you into believing that your computer is infected with spyware and other malware. They hope that you will be convinced that your PC is infected, and purchase their scam of a product.

Eco AntiVirus is Deceitful Malware

By: Carl Haugen | 23/12/2009
If you have been receiving frightening security warnings, you may believe that Eco AntiVirus is a genuine tool to remove spyware and other parasites. Beware; this application is actually a rogue security program designed to trick you, so that you will spend your money on the useless product they promote. There are many scams out there that claim to protect the security of your PC, and this is one of them.

Eco AntiVirus is Deceitful Malware

By: Carl Atkinson | 23/12/2009
If you have been receiving frightening security warnings, you may believe that Eco AntiVirus is a genuine tool to remove spyware and other parasites. Beware; this application is actually a rogue security program designed to trick you, so that you will spend your money on the useless product they promote. There are many scams out there that claim to protect the security of your PC, and this is one of them.

How To Secure Files In Windows

By: Kevin | 22/12/2009
For individuals or any commercial organizations, data security is not only a corporation option, it's the law. Losing sensitive data by way of natural disasters or physical theft can have severe consequences on a company, possibly crippling the entire organization. While there are many different security mechanisms, data encryption is perhaps the most effective in regard to protecting confidential information. learn how to make your data the most secured one..

How to reset sa password in MS SQL Server ?

By: happykaka | 22/12/2009
The sa account has full rights in the MS SQL Sever environment. When you install the MS SQL Server program, the sa account is created and sa password is default blank (NULL). You can also change the blank sa password to a strong one when the setup program is running.

Ediscovery Compliance for Existing and Planned Information Systems

By: Eugene Mayevski | 03/12/2008 | Data Recovery
eDiscovery compliance is a must for every enterprise utilizing and storing electronic information. New federal rules mandate unprecedented changes to an enterprise data storage policies. This paper discusses use of custom file system to simplify transition from non-compliant to fully compliant system and ways to make a planned infrastructure compliant from the beginning.

7 Business Advantages of Offering Data Security

By: Eugene Mayevski | 07/06/2008 | Security
Nowadays security of the information gets more and more attention, due to increased importance of people privacy. However, many software developers underestimate the need for security functions in their software. This article explains the reasons and advantages for having security and encryption functions in your software and your IT infrastructure.

Ftps (ftp Over Ssl) Vs. Sftp (ssh File Transfer Protocol): What to Choose

By: Eugene Mayevski | 14/10/2007 | Security
FTP over SSL (FTPS) and SFTP (SSH File Transfer Protocol) are the most often used and confused protocols for secure file transfer. The article reviews both of thems and shows their pros and cons.