Transferring Files Securely Using FTPS

FTPS is a protocol for transferring files using SSL to secure the commands and data that are being transferred between the client and the server. Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, FTP and other data transfers. The SSL protocol was developed by Netscape Communications Corporation to provide security and privacy over the Internet. Due to the widespread use of SSL, it can be considered a "de facto standard".

FTPS supports channel encryption as defined in RFC 2228. With FTPS, data transfers take place in a way designed to allow both parties to authenticate each other and to prevent eavesdropping, tampering, and forgery on the messages exchanged.

How FTPS Works

When establishing an SSL secure session, the following steps occur:

1. Authenticate the server to the client.

2. Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support.

3. Optionally authenticate the client to the server.

4. Use public-key encryption techniques to generate shared secrets.

5. Establish an encrypted SSL connection.

Server authentication allows a user to confirm a server's identity. SSL-enabled client software can use standard techniques of public-key cryptography to check that a server's certificate and public ID are valid and have been issued by a certificate authority (CA) listed in the client's list of trusted CAs. This confirmation might be important if the user, for example, is sending a credit card number over the network and wants to check the receiving server's identity.

The client encrypts the premaster secret with the server's public key. Only the corresponding private key can correctly decrypt the secret, so the client has some assurance that the identity associated with the public key is in fact the server with which the client is connected. Otherwise, the server cannot decrypt the premaster secret and cannot generate the symmetric keys required for the session, and the session will be terminated.

Public Key Cryptography

Public key cryptography assures private and secure data transmission through two processes: authentication and encryption. Authentication ensures that the data sender is exactly who or what it claims to be. Encryption, the most effective way to achieve data security, is the process of translating data into a secret code. To demonstrate the difference between 56-bit, 128-bit and 256-bit encryption, consider the following example:

Sending information without encryption is like sending a postcard through the mail - the contents are visible to anyone who wants to see it. Using this analogy, 56-bit encryption is like sending the information in a plain white envelope, and 256-bit encryption is like encasing your data in a lead-lined, 6-inch thick titanium safe that is being transported by an armored tank with a convoy of a hundred armed guards.

Public and Private Keys

Authentication and encryption use digital codes called "keys" - a public and a private key. The public key is used to encrypt messages, and the corresponding private key is used to decrypt them. It is important to note, however, that despite their symbiotic association, it is virtually impossible to infer the private key if you know the public key.

The public key has two major functions: validation and data encryption. As its name suggests, the public key is openly published to any party requesting one of these two functions.

The private key on the other hand, is necessary for encrypting data (also called signing) and for decrypting. Unlike the public key, this key is closely guarded.

Digital Certificates

Digital certificates are a standard way of binding a public key to a name. In order to provide a digital certificate, the data sender must apply for a digital certificate from a Certificate Authority (CA) such as VeriSign. This way, the CA acts as a neutral third party that verifies the data sender is who or what they claim to be. Once this information is verified, the CA can issue a public key certificate for that party to use. The most commonly used standard for digital certificates is X.509. A universal standard of this sort is necessary because in order to send encrypted data, you must know the recipient's public key.

Summary

FTPS should be used when you need to transfer sensitive or confidential data between a client and a server that is configured to use SSL for secure transactions.