This section contrasts SSH File Transfer Protocol ("SFTP") with FTP over SSL ("FTPS").
Despite the unfortunate similarity in name, SFTP (SSH File Transfer Protocol) is a completely different protocol than FTP over SSL (FTPS). SFTP consists of SSH with a set of file transfer commands, while FTPS is the traditional FTP protocol with SSL added in for some measure of security.
SFTP uses secure shell protocol (SSH) at its foundation. It leverages SSH for built-in in-transit security together with a specific set of user commands. These commands allow users to transfer files like they are accustomed to when using FTP but with all the security designed into the SSH protocol.
MOVEit Transfer implements Revision 3 (also referred to as Version 3) of the SFTP draft standard.
IETF Standard/Draft Standard |
Quick Description |
Notes |
SSH (RFC 4251) |
A protocol used for communicating securely across an unsecured network. (In SFTP, the "S" denotes the SSH protocol.) SSH is the industry standard for encrypted communication. |
MOVEit Transfer SSH supports the more secure and more popular version of SSH, SSH2 (Version 2.x). SSH uses a single connection channel for both data and commands. This characteristic makes it optimal for passing through firewalls. |
SFTP (SSH File Transfer Protocol) |
FTP-like user functions with the security of SSH. |
SFTP is a defacto Internet standard for secure file transfer. MOVEit Transfer implements revision 3 (also referred to as version 3) of the SFTP draft standard, which includes the file transfer functionality from Draft 00, Draft 01, and Draft 02. |
Although the SSH2 protocol is an established RFC through the IETF Community, the SFTP protocol that sits on top of it periodically underwent revisions to support different models of use. Some of these draft extensions have incompatible features with previous draft versions. MOVEit Transfer implements an early and widely adopted feature set of SFTP (Version 3).
FTPS describes traditional FTP running with SSL/TLS in order to add in-transit security.
IETF Standard/Draft Standard |
Quick Description |
Notes |
FTP (RFC 959) |
File Transfer Protocol (no inherent security). |
FTP is an official Internet standard. |
FTPS |
FTPS adds Secure Socket Layer protocol (RFC 2246), which is most commonly referred to as the latest evolution of SSL ("TLS"). |
FTP uses a separate channel for controls (commands) and data. Typically, the data channel uses a port taken at random from a port range. For this reason, it is not always the best solution when crossing strict firewall boundaries. |
SFTP sessions consist of a series of command and response packets. The packets consist of structured binary information, including integer command codes and response codes. The commands correspond to file system I/O routines such as Open(), Read(), Write() and Close(). To download a file, for instance, the SFTP client must open the file with an Open command followed by a number of Read commands and a Close command.
By contrast, FTP and FTP over SSL use ASCII commands delimited by CR LF. For example to download a file, the client would send a "PORT" or "PASV" command to set up the data connection, followed by a "RETR" command specifying the filename.
SSH uses a single TCP port number - usually port 22 - for all types of connections. By contrast, SSL uses different port numbers for different applications. For instance, port 443 is typically used for HTTP over SSL, and port 990 is used for one version of FTP over SSL. Furthermore, FTP requires multiple port numbers during file transfers, as each individual file transfer creates a new connection on a new port.
The fact that port 22 is used for all SSH services makes it a bit difficult to have multiple SSH server products running on the same computer. But this is rarely an issue for systems running MOVEit Transfer. More importantly, the fact that port 22 is the only port required for SFTP - there are no separate data ports - makes SFTP a more "firewall-friendly" protocol than FTP over SSL.
Both SSH and SSL use public key cryptography to exchange a session key, which is then used to encrypt the commands and data transmitted over the network. The security of the algorithms used by SSH is similar to those used by SSL, but SSH does NOT support the concept of a Certificate Authority (CA).
SSL requires a certificate, which is usually purchased from a Certificating Authority like www.thawte.com. A certificate vouches for the identity of the server. SSH uses a different approach, in which each server creates its own public key. There is no trusted authority to vouch for the identity of an SSH server. To make up for this, by convention, each SSH client remembers the public key of each server it has ever connected to. If, on a subsequent connection attempt, the server presents a different public key, the SSH client will warn the user that the SSH server may be a hostile server masquerading as the original server.
As a result of these differences, FTP over SSL (FTPS) servers can be more cumbersome to administer than SSH/FTP (SFTP) servers. But by virtue of the more sophisticated certificate scheme, FTPS servers are slightly more secure.