The Key Differences Between SFTP and FTP
Are SFTP and FTP the same? While they originate from the same ballpark, the answer to this question is ultimately NO.
Secure File Transfer Protocol or SSH File Transfer Protocol (SFTP) and File Transfer Protocol (FTP) are NOT the same thing. SFTP, not to be confused with FTP Secure (FTPS), is a network which allows file access, transfer, and management over a secure data stream. It is an extension of the 2.0 version of the Secure Shell (SSH) protocol, whose sole purpose is to provide secure transfer capabilities and work functionally with other protocols. FTP is a network protocol which is implemented in order to exchange files over a Transmission Control Protocol (TCP) and Internet Protocol (IP) network.
FTP Basics
FTP is a popular file transfer method that has been around longer than the world wide web – and it hasn’t changed much since its invention. When FTP was created, it wasn’t automatically assumed that internet activity could be malicious, so FTP wasn’t constructed to deal with the kind of cybersecurity threats we now face today.
FTP exchanges data using two separate channels known as the command channel and data channel. With FTP, both channels are unencrypted, leaving any data sent over these channels vulnerable to being intercepted and read.
SFTP Basics
SFTP works over the Secure Shell (SSH) data stream to establish one secure connection and provide organizations with a higher level of file transfer protection. SFTP uses encryption algorithms to securely move data to your server and keep files unreadable during the process, while authentication prevents unauthorized file access during the operation.
While SFTP doesn’t require two-factor authentication, you do have the choice to require both a user ID and password, as well as SSH keys, for a more secure connection. Creating SSH keys helps prevent imposters from connecting to the server. SSH key pairs must be generated beforehand.
SFTP also gives you the option to perform a wide variety of tasks for sensitive files, from removing files to resuming dropped transfers.
How does SFTP Authenticate?
SFTP provides two main methods for authenticating connections. Similar to FTP, you can simply use a user ID and password. However, with SFTP these credentials are encrypted and gives SFTP a major security advantage over FTP.
The other authentication method you can use with SFTP is SSH keys. This involves first generating both an SSH private key and a public key, where you can then send your SSH public key to your trading partner and they load it onto their server and associate it with your account. When they connect to your SFTP server, their client software will transmit your public key to the server for authentication. If the public key matches your private key, along with any user or password supplied, then the authentication will succeed.
User ID authentication can be used with any combination of key and/or password authentication.
The Main Differences
Encryption – The biggest, and one of the most crucial differences, between FTP and SFTP is the fact that one is encrypted (SFTP) while the other is not (FTP). SFTP is a much more secure protocol compared to FTP, considering that when files are being sent and received using “standard” FTP, they are done so in an unencrypted manner. This means that even if the connection itself is secure, the transmission may not be and any data that is currently in transit can potentially be intercepted by a person with malicious intentions.
Firewalls – The design of the FTP protocol uses just one channel (port 21) for sending commands and receiving acknowledgements. However, it has to open other channels dynamically in order to send files. Although the client and server software negotiate these channels immediately, this poses an issue for client-side firewalls because a large number of ports need to be open to the server’s IP address in order for the protocol to operate through the firewall unabated. SFTP is more friendly to today’s client-side firewalls since it only requires a single port (22) to be open for sending controls and for sending or receiving data files.