January 22, 2012

1.4.8 FTPS


FTPS (FTP over SSL) is an extension to the File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols for channel encryption as defined in RFC 2228.

Well-known TCP & UDP ports for FTPS:
  • 989 – FTPS (data channel)
  • 990 – FTPS (control channel)
Much like HTTPS, but unlike SFTP, FTPS servers may provide a public key certificate.

Both FTPS and SFTP use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twofish and so on), and a key-exchange algorithm. For authentication, FTPS uses X.509 certificates, whereas SFTP (SSH protocol) uses SSH keys.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices or from some specific operating systems that have FTP support but don't have SSH/SFTP clients.

Pros of FTPS:
  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks
Cons of FTPS:
  • Doesn't have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn't define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn't have a standard way to get and change file and directory attributes
SFTP (“SSH FTP”) is based on SSH (Secure Shell) version 2. It uses the same communication channels and encryption mechanisms as SSH.

There are several implementations of FTPS, including those with “implicit SSL” where a distinct service listens for encrypted connections, and “explicit SSL” where the connection runs over the same service and is switched to an encrypted connection by a protocol option. In addition, there are several potential combinations of what parts of an FTPS connection are actually being encrypted, such as “only encrypted login” or “encrypted login and data transfer”.


No comments:

Post a Comment