Tuesday, June 19, 2012
At the time it was originally developed, file transfer protocol (FTP) offered everything the enterprise sector needed in a file sharing tool. However, as time passed and the Internet expanded, threats to mission-critical data that was being shared became vulnerable and an FTP server replacement was needed.
The development of extensions like secure file transfer protocol (SFTP) changed that by adding support for security measures needed to safeguard data in transit over the web. Also called SSH FTP, these extensions encrypt commands and data using Secure Shell protocol (SSH). That means information transmitted is not sent in the open over the network.
How they differ: FTP vs. SFTP
SFTP was developed by the "Secsh" working group that was part of the Internet Engineering Task Force (IETF) after the original release of FTP to add protection measures that were initially absent. Unlike SFTP, the original protocol does not include any form of encryption, which leaves everything from the data being shared to commands, usernames and passwords vulnerable.
And although it is considered an extension of FTP, an SFTP server is unable to communicate with a traditional FTP client. That's because the two actually work off different protocols. SFTP is more of a remote file system protocol than the original FTP.
In addition to security, other innovations for SFTP have also improved the user experience of sending and receiving files. For example, graphical SFTP clients allow users to simply drag and drop files they wish to transfer between open windows. This makes the collaboration process easier than ever.
The name of the host being used, as well as the username and password of the person sending files using a graphical interface, are also needed.
SSH: How it works and how it's used
Computers — a server and a client — connected to an insecure network can be protected by Secure Shell protocol. The network protocol can be used for data transfers and the execution of commands. One computer must be running an SSH server while the other has to have an SSH client.
Users can be authenticated with SSH through public-key cryptography, which requires two separate keys — public and private. One key is used to lock data, while the other is used to gain access to a readable version of the information. The public key can be placed on all computers that will be used to transfer files securely, while the private key is kept by the owner.
SSH verifies that the person or computer that enters the public key also has the corresponding private key needed to complete a transmission. When using SSH it's necessary to verify unknown public keys to avoid a security incident.
SSH-2 unseats SSH-1
SSH-1, the original version of the protocol, was developed at the Helsinki University of Technology in 1995. However, shortly after, in 1998, it was discovered to contain several key vulnerabilities. More came to light in 2001, including one that allowed cybercriminals to modify encrypted sessions.
Since the inception of SSH-2, which debuted in 2006, SSH-1 has been rendered obsolete and it is encouraged that users looking to secure data transfers avoid the first version of the protocol.
The use of the Diffie-Hellman key exchange — a method for sharing keys securely — and the use of message authentication codes has plugged SSH-1's vulnerabilities and made the protocol viable once again. And with no limit to the number of shell sessions that can be run over an SSH connection, security is improved vastly with SSH-2.
- Browse in category: File Transfer
- < How file sharing programs get tax information to financial pros quicker, easier
- > File transfer software