About FTP, FTPS and SFTP
The FTP, FTPS and, SFTP are familiar to everyone in the web circle. What are they? What is the difference between these three? In this tutorial, we are going to see an overview of all the three. Let’s first discuss FTP.
FTP (The File Transfer Protocol)
The FTP stands for File Transfer Protocol. It is a standard network protocol. The FTP is used to transfer files between a client and server in a computer network. The protocol is built upon a client-server model architecture. The FTP uses separate connections to control the connection and to transfer data between the systems. There is authentication to use the FTP. The authentication will be done with a username and password. An anonymous connection is also possible if the server permits.
The FTP was originally defined in 1971 before the TCP/IP even existed. The current specification was created in 1985.
It is commonly known as FTP over SSL. The FTPS is also known as: FTPES, FTP-SSL, S-FTP and FTP Secure. The FTPS is the extension to the FTP which is common. The FTPS adds support for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cryptographic protocols. The FTPS uses server-side public key authentication certificates and client-side authorization certificates. It supports the compatible ciphers such as: AES, RC4, RC2, Triple DES, and DES. It also supports the hash functions such as: SHA, MD5, MD4, and MD2.
The SFTP stands for SSH File Transfer Protocol. It is also called Secure File Transfer Protocol. It is completely different from FTP. The SFTP is a separate protocol packaged with the SSH (Secure Shell) and works in a similar way that of the SSH. For this protocol, it uses a SSH tunnel. So that the connection is encrypted. An SSH tunnel is created through an SSH protocol and it establishes an encrypted connection. The advantage of using an SSH tunnel is that one can transfer unencrypted traffic over an encrypted channel.
The names of three protocols look similar, but they all work differently. Now, let’s look into the working of these protocols.
Working of FTP, FTPS, and SFTP
The FTP is a well-developed protocol. As we have seen earlier, it allows two computers to transfer data between them over a network. In this connection, one computer acts as a server and the other computer as the client. The default ports of FTP are 20 and 21. The data exchange is typically on two channels known as command channel and data channel.
The Command Channel
The command channel is responsible for accepting for client connections. This handles the exchange of simple commands such as ‘USER’ and ‘PASS’ between the FTP client and server. These commands are used for authenticating an FTP user. Once the command channel is opened, it remains open until the user sends the ‘QUIT’ command to quit the session or the server forcefully disconnects the connection such as when there is an inactivity of certain predefined time. It usually runs on the port 21.
The Data Channel
The data channel is responsible for exchanging data between the client and the server. The data is exchanged in the form of directory listing and file transfer. Certain commands sent through the command channel opens a data channel. The LIST, STOR, and RETR are examples of such commands. These commands are using for getting a server directory listing, uploading a file, and downloading a file respectively. The data channel uses on-demand temporary ports listening on the server (Passive Mode) or on the client (Active Mode). The data channel is closed once the data transfer is finished. For concurrent data transfers, a range of ports are necessary. When using the FTP, both the two channels, the command channel and the data channel are unencrypted. One should be wary because anyone can eavesdrop on the communication.
The FTP has been implemented as earlier as when security was not a concern over the computer networks, but now communication over an unencrypted connection in the Internet is risky. To address this issue, extensions were added to the FTP namely, the industry standard 2048-bit Transport Layer Security (TLS). It is the most upgraded version of the 1024 bit standard SSL. The major difference is that the FTPS allows encrypting both the control and data connections either concurrently or independently. This feature is inevitable because the SSL communication will consume more time and here it needs to be done twice. Once for the data connection and once for the control connection. So without this, it would be expensive if a client needs to transfer a large amount of data. The FTPS runs on different ports. The default ports are 21 and 990.
There are two types of FTPS SSL. They are:
1) FTPS Implicit SSL
2) FTPS explicit SSL
FTPS Implicit SSL
The port 990 is for the implicit FTPS. When a client connects to the server at this port, it is assumed that the client needs to perform SSL. Therefore, the SSL handshake takes place immediately. In the FTPS Implicit SSL, the SSL is mandatory. Without the SSL, no further communication will occur. Such connection attempts are refused by the server.
FTPS Explicit SSL
The FTPS explicit SSL works on the port 21. The FTP clients connecting on the port 21 needs to perform an extra step specifying their intention to use SSL by sending an AUTH SSL or AUTH TLS command to the server. Once the command received by the server, the SSL Handshake is performed and a Secured Socket Layer connection is established. Unlike in port 990, the clients can establish the connection without SSL in port 21. This will help the client use a secure connection when necessary.
The SFTP is often confused with the FTPS, but these two protocols are entirely different and don’t share anything in common except they securely transfer data between the connected systems. The SFTP protocol is relatively a new one. It had been developed in the 1990s. As we have seen earlier, this protocol also transfers data securely. With this protocol, the data is transmitted over a connection that has been previously secured with SSH protocol. The FTPS and SFTP are two different protocols. The SFTP is packet-based while the FTPS is text-based. The FTP(S) sends commands to the server to perform operations and SFTP sends information in binary format.
The SFTP is based on the SSH (Secure Shell) protocol and not related to FTP. Unlike FTPS, SFTP does not utilize special connections for data and command channels but is achieved by transferring both command and data by specially formatted packets.
If you need any further assistance please contact our support department.