Writers' Community!

 Search:

Writers' Community!
SearchWarp Home Submit An Article Frequently Asked Questions Contact Author Login
Article Submission
We Need YOUR Articles!
We'll Promote Them for FREE!
Author Login

New Authors
Register Here

Now Serving 5,516 Authors
43,937 Quality Articles
& 3,275 Current Users Online!
Featured Authors
E. Raymond Rock (2,327)
Judi Lake (2,270)
Camille Strate (1,254)
Teresa Ortiz (4,075)
Jennifer Cuddy (859)
Christine Akiteng (63,433)
Sandra E. Graham (1,291)
Mark Parsec (11,873)
Angie Lewis (6,093)
Joel Hirschhorn (397)
Missing Link (1,133)
Robert Melaccio, Sr. (4,840)
Terry Mitchell (1,028)
Roschelle Nelson (825)

View All Featured Authors
Most Recent
Why Registry Cleaners Do Only One Third of the Job

How to rip DVD and edit DVD Movie

Computer Clean Up

Rundll32.exe Infections - Getting Rid of Virus

Svvchost and Svchost32 Viruses - Extermination Overview

Windows Could Not Find File At Startup - Revolutionary Fixing Method

Getting DLL or Other Errors Messages?

Elimination of Spooler Subsystem App problem. Easy and quick.

Why Is My Computer So Slow - Everyday

Windows Cannot Find error message - How did I get rid of it quickly.
Article Categories
Animals & Pets
Arts, Crafts & Hobbies
Automotive
Business
Careers & Employment
Computers & Networking
Do it Yourself (DIY)
Education
Electronics
Entertainment
Fashion
Finance
Furniture
Games
Government
Health
Holidays & Special Occasions
Home Life
Industry
Internet
Kids and Teens
Legal
Literature
News
Personal
Professional Services
Real Estate
Recreation & Leisure
Reference
Reviews
Science & Technology
Shopping
Society
Sports
Travel
Webmaster Resources
Website Technologies
Writing
Pick of the Day
Home » Categories » Computers & Networking » Software » FTPS (FTP over SSL) vs. SFTP (SSH File Transfer Protocol): What To Choose » Printer Friendly

FTPS (FTP over SSL) vs. SFTP (SSH File Transfer Protocol): What To Choose
Rated 3 out of 5
 Rate It  /  View Comments  /  View All Articles submitted by Eugene Mayevski
Submitted Sunday, October 14, 2007
Submitted by: Eugene Mayevski (528) Blue Level Author Verified Account
EldoS Corporation
Log in to become a member of Eugene Mayevski's Fan Club!

File transfer over the network using FTP protocol (defined by RFC 959 and later additions) takes roots in year 1980, when the first RFC for FTP protocol was published. FTP provides functions to upload, download and delete files, create and delete directories, read directory contents. While FTP is very popular, it has certain disadvantages that make it harder to use. The major drawbacks are lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it's not supported by some servers) and presence of the secondary connection (DATA connection). Security in FTP is provided by employing SSL/TLS protocol for channel encryption as defined in RFC 2228. The secured version of FTP is called FTPS.

In UNIX systems another security standard has grown. It was SSH family of protocols. The primary function of SSH was to secure remote shell access to UNIX systems. Later SSH was extended with file transfer protocol - first SCP (in SSH 1.x), then SFTP (in SSH2). Version 1 of the SSH protocol is outdated, insecure and generally not recommended for use. Consequently SCP is not used anymore and SFTP gains popularity day by day.

"SFTP" abbreviation is often mistakenly used to specify some kind of Secure FTP, by which people most often mean FTPS. Another (similar) mistake is that SFTP is thought to be some kind of FTP over SSL. In fact SFTP is an abbreviation of "SSH File Transfer Protocol". This is not FTP over SSL and not FTP over SSH (which is also technically possible, but very rare).

SFTP is a binary protocol, the latest version of which is standardized in RFC 4253. All commands (requests) are packed to binary messages and sent to the server, which replies with binary reply packets. In later versions SFTP has been extended to provide not just file upload/download operations, but also some file-system operations, such as file lock, symbolic link creation etc.

Both FTPS and SFTP use a combination of asymmetric algorithm (RSA, DSA), symmetric algorithm (DES/3DES, AES, Twhofish etc.) and a key-exchange algorithm. For authentication FTPS (or, to be more precise, SSL/TLS protocol under FTP) uses X.509 certificates, while SFTP (SSH protocol) uses SSH keys.

X.509 certificates include the public key and certain information about the certificate owner. This information lets the other side verify the integrity of the certificate itself and authenticity of the certificate owner. Verification can be done both by computer and to some extent by the human. X.509 certificate has an associated private key, which is usually stored separately from the certificate for security reasons.

SSH key contains only a public key (the associated private key is stored separately). It doesn't contain any information about the owner of the key. Neither it contains information that lets one reliably validate the integrity and authenticity. Some SSH software implementations use X.509 certificates for authentication, but in fact they don't validate the whole certificate chain - only the public key is used (which makes such authentication incomplete and similar to SSH key authentication).

Here's the brief list of Pros and Cons of the two protocols:

FTPS

Pros:

  • Widely known and used
  • The communication can be read and understood by the human
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many internet communication frameworks.

Cons:

  • Doesn't have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn't define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn't have a standard way to get and change file and directory attributes

SFTP

Pros:

  • Has good standards background which strictly defines most (if not all) aspects of operations
  • Has only one connection (no need for DATA connection)
  • The connection is always secured
  • The directory listing is uniform and machine-readable
  • The protocol includes operations for permission and attribute manipulation, file locking and more functionality

Cons:

  • The communication is binary and can't be logged "as is" for human reading
  • SSH keys are harder to manage and validate
  • The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors.
  • No server-to-server copy and recursive directory removal operations
  • No built-in SSH/SFTP support in VCL and .NET frameworks

What to choose

As usually, the answer depends on what your goals and requirements are. In general, SFTP is technologically superior to FTPS. Of course, it's a good idea to implement support for both protocols, but they are different in concepts, in supported commands and in many other things.

It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices (smartphones, PDAs etc.) or from some specific operating systems which have FTP support but don't have SSH / SFTP clients. If you are building a custom security solution, SFTP is probably the better option.

As for the client side, the requirements are defined by the server(s) that you plan to connect to. When connecting to Internet servers, SFTP is more popular because it's supported by Linux and UNIX servers by default.

For private host-to-host transfer you can use both SFTP and FTPS. For FTPS you would need to search for a free FTPS client and server software or purchase a license for commercial one. For SFTP support you can install OpenSSH package, which provides free client and server software.

Developer tools

If you are a software developer and need to implement file transfer capability in your application, you will be searching for the components to do the job.

In .NET you have built-in support for FTPS in .NET Framework (see FtpWebRequest class). However functionality of this class is severely limited, especially in SSL/TLS control aspect.
.NET Framework doesn't include any support for SSH or SFTP.

In VCL you have a selection of free components and libraries which provide FTP functionality. When you add OpenSSL to them, you can get FTPS for free. If you don't want to deal with OpenSSL DLLs, you can use one of the commercially available libraries for SSL and FTPS support. Again, there are no freeware SFTP components available for VCL.

If you use a tool with which you have to use ActiveX controls, you need to search for commercial FTPS or SFTP controls. No free controls are available.

SecureBlackbox library provides both FTPS and SFTP support for .NET, VCL and ActiveX technologies.

About Author:
Eugene Mayevski takes a post of Chief Technical Officer in EldoS Corporation (www.eldos.com), the company that specializes in development of security and low-level system components for software developers. SecureBlackbox (www.SecureBlackbox.com) is the product of EldoS Corporation that provides SFTP and FTPS support for .NET and VCL frameworks.






Reprint Rights

Log in to become a member of Eugene Mayevski's Fan Club!

Comments on this article:

» left by Peter Sundstrom (278 days 7 hours ago.)
Reader Rating: 4 out of 5
It's my understanding that scp uses whatever version of SSH is configured. So for example, you have only SSH V2 protocol configured, then that's what scp will use.
Respond to this comment
» left by Eugene Mayevski (528) Blue Level Author Verified Account (278 days 6 hours ago.)
SCP is part of SSH1 protocol family. SCP application can probably upgrade to SFTP if only SSH2 is enabled.
Respond to this comment
» left by Peter Sundstrom (275 days 16 hours ago.)
After doing some more research I've discovered that SCP can operate with SSH1 and SSH2 and in some cases will use SFTP to perform the file transfers.

Additionally, a SFTP client can connect to a SSH1 server if it knows the path to the SFTP binary on the server side.
Respond to this comment

Was this article helpful to you? Leave a Public Comment or Question:

 
This Article has been viewed 2,074 times.
Article added to SearchWarp.com on Sunday, October 14, 2007
View other articles written by Eugene Mayevski (528) Blue Level Author Verified Account


If you found this article interesting, you may want to check out:

Disclaimer:  All information on this site is provided for informational purposes only! By no means is any information presented herein intended to substitute for the advice provided to you by any health care or other professional or organization.

Today's Most Popular
Linux Commands Tutorials - Using the ls Command with Examples of Options - A Hands-On Tutorial Help

FTPS (FTP over SSL) vs. SFTP (SSH File Transfer Protocol): What To Choose

Rundll32.exe Infections - Getting Rid of Virus

Improve PC Performance - 6 Tips You Must Know.

About Winsock in Visual Basic.

What is VPN, Anonymizers, Proxy Servers ?

How to Save an Image in a SQL Server Database?

How To Export A Microsoft Access Report as a PDF

Internet Explorer 7 (IE7) As a Ftp Client-Does Not Work

Microsoft Word 2000 Tips – How To Add Web Hyperlinks to a Document

Home  |  FAQ's  |  Contact  |  Terms of Service  |  Article Submission Guidelines  |  Writers' Contests  |  Privacy  |  Mission / About
Copyright © 1999-2008 SearchWarp.com, All Rights Reserved - SearchWarp.com is an IcoLogic, Inc. Company