FTP - Interoperability - Integrity Check How-To

In version 3.3 MOVEit DMZ opened up its FTP integrity check protocol to allow non-MOVEit FTP clients to begin to perform cryptographic integrity checks as well. (SmartFTP was the first non-MOVEit FTP client to take advantage of the open protocol.)

SHA-1 Cryptographic Integrity Check

Using integrity checks with MOVEit DMZ requires sending three short commands from the client to the server:

The local FTP client must be able to calculate SHA-1 hashes, of course. MD5 hashes MAY be allowed in the future, but only to support legacy FTP clients. CRC values will NEVER be allowed as they lack any cryptographic value and are thus almost useless in situations where "non-repudiation" is required.

Sample FTP Session

The following FTP session shows an FTP client session working with variations of the commands discussed above. A complete, successful integrity check has been highlighted in green.

ftp> QUOTE INTEGRITY H
200 Integrity mode selected
ftp> get HomePage.php
200 PORT command successful
150 RETR command started
226 Transfer complete. Integrity check pending.
ftp: 4890 bytes received in 0.70Seconds 6.79Kbytes/sec.
ftp> QUOTE XSHA1
500 XSHA1: parameters are incorrect
ftp> QUOTE XSHA1 HomePage.php
250 d6f63471acd1ab7dd647c86e6eea91d09f0fbb70
(at this point the FTP client calculates a SHA-1 hash
against the file it just downloaded and gets a
value of "d6f63471acd1ab7dd647c86e6eea91d09f0fbb70")
ftp> QUOTE HASH OK
200 Downloaded file has passed integrity check.
ftp> get HomePage.php
200 PORT command successful
150 RETR command started
226 Transfer complete. Integrity check pending.
ftp: 4890 bytes received in 0.64Seconds 7.45Kbytes/sec.
ftp> QUOTE XSHA1 HomePage.php
250 d6f63471acd1ab7dd647c86e6eea91d09f0fbb70
(at this point the FTP client calculates a SHA-1 hash
against the file it just downloaded and gets a
value of "c86e6eea91d09f0fbb70d6f63471acd1ab7dd647")
ftp> QUOTE HASH BAD
500 Downloaded file integrity check FAILED!