Protocols and Security

The Server supports the following protocols: FTP, FTPS, SFTP, HTTP, and HTTPS. The protocols are configured and enabled/disabled at the Site level, at the User Setting Level, or per user.

FTP

The FTP protocol is an interactive file-transfer mechanism that enables file transfers between Internet sites, or, more specifically, between two systems. It was created for transferring files independently of the operating system used, for example between a Macintosh and Windows PC. FTP’s more notable features include handling for specific error situations and ensuring that a file sent from point A to point B will get there reliably.

The FTP protocol specification (RFC 959) was published many years ago when security was not a priority issue. As security became a concern, secure mechanisms such as SSL and TLS were adapted to help protect the FTP session from being intercepted or exploited. Secure FTP Server provides security with FTPS (using SSL/TLS).

HTTP

HTTP is the communication protocol for establishing a connection with a Web server and transmitting HTML pages to the client browser or any other files required by an HTTP client application.

HTTP is often referred to as a "stateless" protocol. The connection is maintained between client and server only for the immediate request, after which the connection is subsequently closed. Each time you need something from the Server, your client (browser) makes a connection, gets that file, and then the connection is closed. Since you do not connect and stay connected, the browser remembers your username and password for you, so it can send the authentication hash along with every new connection request.

For example, when you put http://www.globalscape.com/gsftps/https.asp in your browser's address bar and press ENTER, your browser uses HTTP as specified in the URL to send a command to the Server running at the host name www.globalscape.com with the HTTP command "GET /gsftps/https.asp HTTP/1.1," and the Server replies with that file (the HTML that makes up the page). In that page, there are references to a number of files (e.g., images, CSS documents, flash files), and your browser makes a separate connection to get each one of those resources.

How does HTTP support in Secure FTP Server differ from a typical Web Server?

Secure FTP Server is primarily a file transfer server, not a Web server. This means it is not meant to "serve up" Web pages such as a typical Web server does for connecting HTTP clients (such as your Web browser). However, there are provisions for transferring files in the HTTP protocol, which is a convenience when a connecting partner, customer, or employee does not have an FTP client installed, but does have an HTTP client or access to a Web page with HTTP PUT capabilities (usually an ActiveX control or Java applet).

When the Server is configured to allow HTTP file transfers, any HTTP client will be able to PUT (upload) or GET (download) files to the Server, provided the client supports both of these HTTP commands. Most Web browsers only support the GET command or, if they support the PUT command, they provide no interface for browsing to the user's local file system in order to select and upload (PUT) files onto the Server. A few dedicated clients (such as CuteFTP Professional) and various thin clients (based on ActiveX controls or Java applets) support both PUT and GET capabilities, allowing these clients to transfer files to the Server in both directions.

HTTP Limitations in Secure FTP Server

HTTPS

HTTPS is the protocol for accessing a secure Web server when authentication and encrypted communication is possible. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. The default TCP/IP port of HTTPS is 443. The session is then managed by a security protocol. HTTPS encrypts the session data using the SSL (Secure Socket Layer) protocol ensuring reasonable protection from eavesdroppers and man-in-the-middle attacks.

Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate and a public key for encryption. If the client trusts the Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and the Server will be able to decrypt the data. The SSL protocol is the same protocol used in FTPS.

The following elements work together to establish a secure HTTPS connection:

Client: The client must have SSL capabilities.

Certificate: Certificates are digital identification documents that allow both servers and clients to authenticate each other. A certificate file has a .crt extension. Server certificates contain information about your company and the organization that issued the certificate (such as Verisign or Thawte) while client certificates contain information about the user and the organization that signed the certificate. You can choose to either trust or distrust a certificate. In some cases, the client's certificate must be signed by the Server's certificate in order to establish an SSL connection.

Session Key: The client and the Server use the session key to encrypt data. It is created by the client via the Server's public key.

Public Key: The client encrypts a session key with the Server’s public key. It does not exist as a file, but is produced when a certificate and private key are created.

Private Key: The server's private key decrypts the client's session. The private key has a .key extension and is part of the public-private key pair.

Certificate Signing Request: A certificate signing request is generated each time a certificate is created. A certificate signing request has a .csr extension. This file is used when you need to have your certificate signed. Once the Certificate Signing Request file is signed, a new certificate is made and can be used to replace the unsigned certificate.

In Web pages that use HTTPS, the URL begins with https rather than http. HTTP clients should connect using standard requests (i.e. https://domain_name). You can configure the Server to provide connecting clients with a certificate, and even require that the client provide a certificate upon connection (to validate the client's identity further).

 

FTPS, SSL, and TLS

FTPS is an enhancement to standard FTP that uses standard FTP commands (and protocol) over secure sockets. FTPS adds SSL security in both the protocol and data channels. FTPS is also known as FTP-SSL and FTP-over-SSL. You might also see the term SSL used in conjunction with TLS. SSL has been merged with other protocols and authentication methods into a new protocol known as Transport Layer Security (TLS). The Server employs SSL/TLS to perform FTPS to keep your data secure.

Secure Socket Layer (SSL) is a protocol for encrypting and decrypting data across a secure connection from a client to a server with SSL capabilities. The server is responsible for sending the client a certificate and a public key for encryption. If the client trusts the Server's certificate, an SSL connection can be established. All data passing from one side to the other will be encrypted. Only the client and the Server will be able to decrypt the data.  

The Server supports SSL for client and server authentication, message integrity, and confidentiality. You can configure the Server's security features to verify users' identities, allows users to verify your identity, and to encrypt file transfers. The key to understanding how SSL works is to understand the elements that take part in the process.

The following elements work together to establish a secure SSL connection:

SSL must first be enabled at the Site and Server level, and then can be enabled per User Setting Level and User. The Server provides administrators the ability to specify the symmetric key cipher An algorithm for performing encryption; see SSL(s) and the ordering of those ciphers for establishing SSL sessions. The Server validates inbound SSL sessions, and allows or denies connections based on specified or approved ciphers.

Secure FTP Server supports two levels of authentication with SSL:

SFTP (SSH)

The SFTP module is optional and requires purchase of an SFTP module license.

SFTP is an FTP-like protocol that uses SSH1 and SSH2 protocols to provide security. When clients make an SFTP (SSH2) connection with the Server, there are two components or layers involved: the Transport and Authentication layers.

Transport Layer

When users first attempt to connect to your SFTP site, the user's client software and the server determine whether the transmission should be encrypted or clear, compressed or uncompressed, which Method Authentication Code (MAC) to use, and what kind of encryption (cipher) to use.

Once the encryption method is chosen:

  1. The Server sends a public key to the client.

  2. The client generates a session key, and encrypts it with the server’s public key.

  3. The client then sends the encrypted session key back to the server.

  4. The server then decrypts the session key with its private key and from that time all transmitted data is encrypted with the session key.

Authentication Layer

After the Transport Layer is established, the server attempts to authenticate the client.

There are two methods the Server can use for authentication.

To use this method, the client will need a private key and public key. The public key is passed to the Server. The Server encrypts a random number with the public key and sends it to the client.

Using this method, the client sends its password to server. The client does not need to encrypt the password explicitly, because it will be automatically encrypted by the Transport Layer mentioned above. With this type of authentication, the connection will fail if the Transport Layer cannot encrypt the data.

After the encryption method is established, and authentication is complete, the two systems are ready to exchange secure data. The client sends a secured FTP connection along the encrypted data tunnel, the Server responds and the user can then transfer files securely.