SFTP is a network protocol that facilitates file transfer, access and management over a reliable data stream. Do not confuse SFTP with FTP over SSL (FTPS), Simple File Transfer Protocol and FTP over SSH. SFTP is a binary, packet based protocol in which the client and server communicate with each other in the form of packets. It is used as a subsystem of SSH protocol version 2 as the underlying protocol, hence SSH is responsible for providing SFTP with security & authentication.
When a client attempts to establish a connection via SFTP there are two layers that come into play, these are the Transport & Authentication layers. The Transport Layer handles initial key exchange, server authentication, determines what encryption algorithm to use, decides whether to employ compression & performs integrity verification. The Authentication Layer handles client authentication and employs a number of methods to accomplish this including password, public-key cryptography, keyboard-interactive, GSSAPI authentication using methods such as Kerberos or NTLM.
When considering encryption & SFTP there are at least two factors you need to take into account: 1) Encryption algorithm for file transfers 2) Public key authentication; if you intend to use it.
Encryption algorithm (ciphers) for file transfers
The encryption algorithm (cipher) mutually decided upon by the server & client is used to encrypt data packets from the sender and decrypt data packets on the receiver. The choice of the cipher depends on encryption strength, encrypt-decrypt speed and sometimes business requirements. E.g. Serpent cipher is more secure than the 3DES & runs significantly faster than the DES cipher. Blowfish cipher is faster than 3DES but less secure. The encryption strength and speed is partly dependent on part on the block & key size of the cipher, e.g. AES has a fixed block size of 128 bits and key size of 128, 192 or 256 bits, AES 256 would be more secure than AES 128 but the former would be more secure than the latter.
Note that you should not compare encryption-decryption speed & strength based on key size when considering different algorithms. E.g. while it may be helpful to compare AES-128 and AES-256, it would not be wise to compare blowfish 256 bit to AES 256 bit cipher without considering the actual implementation of these algorithms.
Public key authentication
Public-key authentication consists of public-private key pair. The public key is installed on the server and the private key resides with the user. Messages are encrypted using the recipient’s public key and can only be decrypted with the private key. Note that it is near impossible to derive the private key using the corresponding public key therefore the security of the public key authentication mechanism depends largely on the safe keeping of the private key by the user; if it is lost the user account can be compromised. Keys are generated using asymmetric algorithms typically RSA & DSA. While both of these algorithms are secure it is generally accepted that RSA‘s strength is verifying while DSA is faster at key generation.
Comments