Which is Better for My Business – SFTP or FTPS?

small

When it comes to secure data transfer, finding the right FTP protocol will leave you drowning in a sea of acronyms before you can say SOS. Without diving into alphabet hell it is worth looking at the two most popular secure file transfer protocols used today to see how they differ.

SFTP and FTPS might sound like acronym brothers of the same transfer protocol family but they are actually very different in key areas like security, firewall considerations and data exchange. Here’s the tale of the tape…

SFTP

SFTP (Secure File Transfer Protocol or SSH File Transfer Protocol) is often referred to as FTP over SSH (Secure Shell) when it is in fact actually a sub-protocol of SSH and not related to FTP at all. But just to confuse you, although it was designed as an extension of SSH to provide secure file transfer capability, it is also able to work with other protocols so can ultimately be employed by an FTP server.

Unlike FTPS, SFTP does not use separate command and data channels but rather communicates both through a single connection. This means it only needs a single port opened through the firewall when transferring files making it more firewall friendly and safer by limiting the number routes for attack. It uses port 22 as a default port.

SFTP uses algorithms like AES and Triple DES to encrypt any data transferred between the client and server as another security measure and accepts user id plus password or SSH keys in place of, or in addition to, passwords as authentication. Any user ids and passwords used to connect to a SFTP server are also encrypted.

Key-based authentication involves generating a SSH private key and public key. Your public key goes to your data exchange partner to sit in their server with your account. Then when you connect with them your client software will send your public key to the same server for authentication. The keys have to match along with any user ids and passwords for authentication to be approved.

FTPS

FTPS (FTP Secure) is a security extension of the industry defining File transfer Protocol (FTP) and was set up to plug the security gaps left by FTP. It transports FTP data over the network using SSL (Secure Sockets Layer) encryption, which also uses AES and Triple DES algorithms, and is hence also referred to as FTP over SSL.

It follows the same data exchange process as FTP so it sends files through two separate channels, one for data and one for command. It usually sends commands through port 21 and then uses on-demand temporary ports to exchange data in the form of directory listings and file transfers. So opens a different port every time a directory listing or file transfer request is made.

This is not so firewall friendly and more of a security risk as it opens more holes, not to mention the fact that it leaves one open the entire session with the command channel not shutting down until the client sends the Quit command or is forcibly disconnected through inactivity.

Authentication comes in the form of a user id, password and trusted certificate. A trusted certificate has to be either signed off by a known certificate authority or self-signed by the certificate holder who also provides a copy of their public certificate to sit in their data exchange partner’s trusted key store. The SSL channel also automatically encrypts user ids and passwords.

Author: Maytech is an ISO 27001 accredited global cloud platform provider that specialises in 100% secure data transfer and FTP solutions anywhere in the world.