Mirjana's picture

SFTP does not have anything common with FTP

SFTP, or secure FTP, is a program that uses SSH to transfer files. Unlike standard FTP, it encrypts both commands and data, preventing passwords and sensitive information from being transmitted in the clear over the network. It is functionally similar to FTP, but because it uses a different protocol, you can't use a standard FTP client to talk to an SFTP server, nor can you connect to an FTP server with a client that supports only SFTP.
SFTP is most often confused with FTPS and vice-versa.  However, unlike FTP and FTPS these protocols are not at all related. SFTP is actually a sub-system of the SSH (Secure Shell) protocol and typically runs on port 22. Unlike FTP/S, SFTP does not have the concept of separate command and data channels. Instead both data and commands are transferred in specially formatted packets via a single connection. Furthermore, unlike FTPS explicit SSL, SFTP encrypts the entire session and does not offer the ability to switch between unencrypted and encrypted mode.

Encryption methods for SFTP and FTPS

Both FTPS and SFTP use a combination of asymmetric algorithm (RSA, DSA), symmetric algorithm (DES/3DES, AES, Twhofish etc.) and a key-exchange algorithm.
For authentication FTPS (to be more precise, SSL/TLS protocol under FTP) uses X.509 certificates, while SFTP (SSH protocol) uses SSH keys.
X.509 certificates include the public key and certain information about the certificate owner. This information lets the other side verify the integrity of the certificate itself and authenticity of the certificate owner. Verification can be done both by computer and to some extent by the human. X.509 certificate has an associated private key, which is usually stored separately from the certificate for security reasons.
SSH key contains only a public key (the associated private key is stored separately). It doesn't contain any information about the owner of the key. Neither it contains information that lets one reliably validate the integrity and authenticity. Some SSH software implementations use X.509 certificates for authentication, but in fact they don't validate the whole certificate chain - only the public key is used (which makes such authentication incomplete and similar to SSH key authentication).

SFTP vs FTPS, what to choose

While FTP is very popular, it has certain disadvantages that make it harder to use. The major drawbacks are:
·         lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it's not supported by some servers) and
·         presence of the secondary connection (DATA connection).
·         Security in FTP is provided by employing SSL/TLS protocol for channel encryption. The secured version of FTP is called FTPS.
As usually, the answer depends on what your goals and requirements are. In general, SFTP is technologically superior to FTPS. Of course, it's a good idea to implement support for both protocols, but they are different in concepts, in supported commands and in many other things.
It's a good idea to use FTPS when you have a server that needs to be accessed from personal devices (smartphones, PDAs etc.) or from some specific operating systems which have FTP support but don't have SSH / SFTP clients. If you are building a custom security solution, SFTP is probably the better option.
As for the client side, the requirements are defined by the server(s) that you plan to connect to. When connecting to Internet servers, SFTP is more popular because it's supported by Linux and UNIX servers by default.
For private host-to-host transfer you can use both SFTP and FTPS. For FTPS you would need to search for a free FTPS client and server software or purchase a license for commercial one. For SFTP support you can install OpenSSH package, which provides free client and server software.

 SFTP and FTPS – pros and cons

Good standards background which strictly defines most (if not all) aspects of operations
The communication is binary and can't be logged "as is" for human reading
Only one connection (no need for DATA connection)
SSH keys are harder to manage and validate
The connection is always secured
The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
The directory listing is uniform and machine-readable
No server-to-server copy and recursive directory removal operations
The protocol includes operations for permission and attribute manipulation, file locking and more functionality
No built-in SSH/SFTP support in VCL and .NET frameworks
Widely known and used
Doesn't have a uniform directory listing format
The communication can be read and understood by the human
Requires a secondary DATA channel, which makes it hard to use behind the firewalls
Provides services for server-to-server file transfer
Doesn't define a standard for file name character sets (encodings)
SSL/TLS has good authentication mechanisms (X.509 certificate features)
Not all FTP servers support SSL/TLS
TP and SSL/TLS support is built into many internet communication frameworks
Doesn't have a standard way to get and change file and directory attributes