What is FTPS?
FTPS (also known as FTP Secure) is an evolution of the widely used File Transfer Protocol (FTP). Because FTP is not typically considered a secure file transfer channel, FTPS was proposed as an alternate in RFC 2228. FTP provides the foundation for FTPS, but the latter includes an additional encryption layer. In FTPS, FTP data travels through the network using either Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols.
Just like FTP does, FTPS also works in a client-server model, utilizing a control channel and a data channel for exchanging FTP commands and data during an FTPS client session.
How Security Works In FTPS
An FTPS connection is authenticated with a user ID, password and public key certificate (similar to how HTTPS works). Tools such as OpenSSL allow key certificates to be requested and created. An FTPS client, when connecting to an FTPS server, will first verify the trustworthiness of the server’s certificate.
- When a trusted certificate authority (CA) signs these certificates, it ensures that the client is being connected to a trusted and secure server, which helps protect against man-in-the-middle attack.
- Certificates not signed by a trusted CA, which are known as self-signed certificates, may prompt the FTPS client to generate a warning that the certificate is not valid. The client can choose to accept the certificate or reject the connection.
FTPS (over SSL/TLS) uses X.509 certificates for authentication. These digital certificates include a public encryption key and information about the certificate owner. The public key has two major functions: validation and data encryption. The public key has an associated private key. This private key is stored separately from the certificate, which is used for decrypting the message encrypted by the public key.
Implicit FTPS and Explicit FTPS
Implicit FTPS refers to sessions where both the command and data channels are encrypted at all times. An SSL encryption is implied at the beginning of the session, which means secure FTPS connection is mandatory. In this scenario, a non-FTPS client will not be allowed to communicate with the FTPS server. The FTPS server defines a specific port (990) for the client to be used for secure connections.
Implicit FTPS consumes a lot of network bandwidth and computational resources because encryption happens in both the command and data channels. In a scenario where a user wants to upload non-confidential files to the FTPS server, an explicit FTPS connection would be used instead of an implicit FTPS connection.
In explicit FTPS, the client directly requests security from the FTPS server. This is an optional request. If a client does not request security, the FTPS server can either allow the client to continue in unsecure mode or refuse or limit the connection.
Explicit FTPS can be used in scenarios where the requirement is to secure only the command channel (which carries the commands and user authentication,) and not the data channel (which carries non-confidential FTP data). Port 21 is the default port used by the FTP server to communicate with the client. This allows both unsecure FTP and secure FTPS clients to connect to the FTPS server.
For organizations adhering to federal regulatory compliance standards, implicit FTPS is recommended.
Benefits of FTPS over FTP
- Communication can be read and understood by humans
- FTPS can be used for server-to-server file transfer requirements
- SSL/TLS has good authentication mechanisms, including X.509 certificate features
- Many Internet communication frameworks have built-in FTP and SSL/TLS support
FTPS File Transfer with Serv-U MFT Server
Serv-U® Managed File Transfer (MFT) Server supports secure file transfer protocols such as FTP, FTPS, SFTP, and HTTP/S. Serv-U MFT Server also supports FIPS 140-2 validated cryptography. Enabling FIPS 140-2 mode limits Serv-U to encryption algorithms certified to be FIPS 140-2 compliant and ensures the highest level of security for encrypted connections.