File Transfer Protocol Secure (FTPS) is a secure file transfer protocol based on File Transfer Protocol (FTP). It was created as a substitute for FTP, which sends usernames, passwords and data in plaintext. That means anyone can intercept, read or sell confidential information sent with FTP.
Does FTPS use TCP or UDP?
FTPS uses Transmission Control Protocol (TCP), not User Datagram Protocol (UDP). Here’s why that matters:
With TCP, the sending computer checks to make sure the other computer is ready to receive files. With UDP, the sending computer sends files without making sure they’ll be received. That means there’s a risk of files arriving out of order or not at all.
TCP verifies that the receiving computer is ready to receive files with a three-way handshake:
- Sending computer sends a message called a SYN.
- Receiving computer sends a message back called a SYN ACK.
- Sending computer acknowledges the receiving computer’s message with an ACK RECEIVED MESSAGE.
Does FTPS use SSL, TLS or SSH?
FTPS uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS), not Secure Shell (SSH) to encrypt files. The client and server negotiate together to decide whether to use SSL or TLS.
The client and server agree on a key to use for encryption with an SSL/TLS handshake:
- Client sends a Hello message with the version number and the cipher suite it can support.
- The server chooses the cipher suite based on the client’s available cipher suites. It sends a certificate, which includes the server’s public key. Finally, it sends a Hello Done message.
- The client checks the certificate to make sure it hasn’t expired. It generates a pre-master secret based on the server’s public key. It encrypts the secret with the public key.
- The client generates a symmetric encryption key based on the pre-master secret. It sends a Client Finished message.
- The server generates a symmetric encryption key based on the pre-master secret too.
- Server sends a message called Change Cipher Spec.
- Data is encrypted and sent.
For this example, we’ll assume the client supports TLS.
The public key encrypts data and can be shared with anyone. The private key decrypts data and shouldn’t be shared with anyone.
The public key is the server’s way of presenting its identity to the client.
The server decrypts the pre-master secret with its private key.
Symmetric Encryption Key Generation
Change Cipher Spec and Send Data
This message tells the client that the negotiations are changing from asymmetric encryption to symmetric encryption. The server sends a Server Finished message.
Does FTPS need a certificate?
Yes, FTPS needs a certificate because it uses SSL/TLS.
How does FTPS work?
- TCP handshake.
- SSL or TLS handshake.
- Data is encrypted and sent.
FTPS uses TCP port 21 if it’s an explicit connection and TCP port 990 if it’s an implicit connection.
The client and server negotiate a port for passive or active transfers. Passive transfers are on TCP port 3000-3050. Active transfers are on TCP port 20.
Both the client and server generate an encryption key to encrypt the data with.
FTPS vs SFTP and HTTPS
SSH File Transfer Protocol (SFTP) and Hypertext Transfer Protocol Secure (HTTPS) are two other encrypted file transfer protocols that are sometimes used instead of FTPS.
|Speed||A bit faster than SFTP because FTPS uses two different connections that run asynchronously to achieve the highest data transfer speed possible.||SFTP is a bit slower than FTPS because synchronization packets are sent on the same channel as data packets.||HTTPS has better download speeds, but it isn’t great for uploading. It also doesn’t transfer large files quickly.|
|Ease of Implementation||More difficult than SFTP to implement because you need to open multiple ports.||Considered the easiest FTP protocol to implement because only one port needs to be open.||Very firewall-friendly and no need to open ports.|
|Great for||When you need to track user movement during sessions because FTPS logs all of that.||When you need a secure file transfer protocol that is also easy to configure.||When you need secure web-based file transfers and fast downloads.|
|Security||Equal to SFTP and HTTPS in security because it encrypts usernames, passwords and contents of data.||Equal to FTPS and HTTPS in security because it encrypts usernames, passwords and contents of data.||Equal to FTPS and SFTP in security because it encrypts usernames, passwords and contents of data.|
Other factors that affect file transfer speed include:
- Speed of each machine’s disk
- Speed of the network
- Network tuning
- Machine tuning
Is FTPS secure enough?
The answer to this depends on what you’re using FTPS for. If you’re using FTPS to send non-confidential files to family or friends, it’s probably fine.
But if you’re using FTPS servers with no additional security measures in place, it’s probably not secure enough.
For example, if your organization needs to achieve Payment Card Industry Data Security Standard (PCI DSS) compliance you’d also need:
- A secure firewall configuration
- Data encryption at rest
- Antivirus software
- Restrictions on access to data on a need-to-know basis and more.
Implicit vs Explicit FTPS
|Category||Implicit FTPS||Explicit FTPS (FTPES)|
|Port Number||Port 990||Port 21|
|Popularity||Deprecated because it’s never been formally standardized. No standard means no implementation is correct.||More used because it has a standard and strict rules and guidelines on how to implement it.|
|If client doesn’t meet security requirements,||Server drops connection.||Connection is declined or transfer is made insecurely using FTP.|
|Encryption||SSL/TLS connection is established immediately, which means everything (login and file transfer) is encrypted.||Users can choose what is encrypted: just the credentials, credentials and the file or only the file.|
Is FTPS enough for your business?
FTPS is more secure than FTP because it encrypts data, but it doesn’t have everything you need to completely secure file transfers.
Thru, our cloud managed file transfer (MFT) platform, includes many security features to help you remain compliant with GDPR and HIPAA, including:
- File payload encryption with Pretty Good Privacy (PGP)
- Encryption at rest
- Role-based access controls
- Antivirus scanning
- Multi-factor authentication
2 F5 DevCentral. Breaking Down the TLS Handshake