SFTP vs. FTPS: What is the Perfect Protocol for Safe FTP?
An increasing number of organizations are looking to move away from transferring data with FTP (a standard file transfer protocol). In the beginning stages of research, questions often arise around which secure transfer protocols are recommended and how those protocols differ from each other.
What is Secure FTP?
File Transfer Protocol (FTP) is a network protocol used to transfer files between clients and servers. Secure FTP takes the essential function of FTP – file transfer – and makes it more secure. FTP is not secure in and of itself, and it is often secured with SSL/TLS (to become FTPS) or replaced with SFTP (SSH File Transfer Protocol).
Secure File Transfer Protocols help you transfer data within and outside of your organization safe in the knowledge that your information is protected.
There are two mainstream protocols available for secure FTP:
- SFTP (FTP over SSH)
- FTPS (FTP over SSL)
Because SFTP and FTPS implement strong algorithms like AES and Triple DES to encrypt any data transferred, they both offer a high level of protection. SFTP and FTPS also support a wide variety of functionality with a broad command set for transferring and working with files.
Depending on your organization’s needs, either secure FTP option could work to secure your file transfers. However, there are a few notable differences between the two in how connections are authenticated and managed
Secure FTP Encryption
While FTP is unencrypted, both SFTP and FTPS have encryption mechanisms in place.
FTPS uses two data connections, a command channel and a data channel. You can choose to encrypt either both connection or only the data channel.
Unlike both FTP and FTPS, SFTP uses only one connection. Both the authentication information (i.e., user ID and password) and the data being transferred are encrypted through SFTP.
SFTP vs. FTPS: Secure FTP Authentication
With SFTP, a connection can be authenticated using a couple different techniques:
1. For basic authentication, you or your trading partner may just require a user ID and password to connect to the SFTP server.
It’s important to note that any user IDs and passwords supplied over the SFTP connection will be encrypted (this is a big advantage over standard FTP).
2. SSH keys can also be used to authenticate SFTP connections in addition to, or instead of, passwords.
With key-based authentication, you will need to generate a SSH private key and public key beforehand. If you want to connect to a trading partner’s SFTP server, you would then send your SSH public key to them so they can load onto their server and associate with your account. Then, once you’ve connected to their SFTP server, your client software will transmit your public key to the server for authentication. If the keys match, along with any username/password supplied, the authentication will succeed.
With FTPS, a connection is authenticated using a user ID, password, and certificate:
Like SFTP, the usernames and passwords for FTPS connections are encrypted.
When connecting to a trading partner’s FTPS server, your FTPS client will first check if the server’s certificate is trusted. The certificate is considered trusted if either the certificate was signed off by a known certificate authority (CA), like Verisign, or if the certificate was self-signed by your partner. For self-signed certificates to verify, you must have a copy of their public certificate in your trusted key store.
Your partner may also require that you supply a certificate when you connect to them. Your certificate may be signed by a third-party CA or your partner may allow you to self-sign your certificate, as long as you send them the public portion of your certificate to load into their trusted key store.
SFTP vs. FTPS: Secure FTP Implementation
When it comes to ease of implementing SFTP or FTPS, SFTP is considered the easiest secure FTP protocol to implement. SFTP is very firewall friendly, needing a single port number (default of 22) to to be opened through the firewall. This single SFTP port will be used for all communications, including the initial authentication, any commands issued, and any data transferred.
FTPS, unfortunately, can be very difficult to patch through a tightly-secured firewall. FTPS uses multiple port numbers. The initial port number (default of 21) is used for authentication and passing any commands. However, every time a file transfer request (e.g. get or put) or directory listing request is made, another port number needs to be opened. You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can put your network at risk and weaken your cybersecurity defenses.
SFTP vs. FTPS: Speed
SFTP and FTPS aren’t identical when it comes to which is faster. FTPS was designed to be speed-friendly: FTPS gives you the option of whether to encrypt both connections (the command channel and the data channel), or only the data channel. Because the control and data channel run asynchronously in two distinct connections, FTPS can achieve a high data transfer speed. However, SFTP is at most only slightly slower than FTPS.
Which is More Secure: SFTP or FTPS?
In summary, SFTP and FTPS are both secure FTP protocols with strong authentication options. Since SFTP is much easier to port through firewalls, however, we believe SFTP is the clear winner between the two.