Comparison of FTP, FTPS, and SFTP
The File Transfer Protocol (FTP) enables simple and direct file transfers between different computer systems. FTP utilizes TCP as its transport protocol and can handle binary data as well as text data (with special handling of line breaks for different systems). File transfers are initiated and controlled by the local client system. Authentication to access the target host is granted by checking a username and password. FTP has two channels, a control channel and a data channel, which are both unencrypted.
FTPS is short for FTP over SSL and is a common encrypted file transfer method based on FTP. Here, both the control channel and the data channel are sent over an encrypted SSL or TLS connection. Usually, the encryption itself is done with AES (Advanced Encryption Standard), where the key can be up to 256 bits long. Even server-to-server transfers (via FXP, short for File Exchange Protocol) can be done over encrypted SSL/TLS connections, but that is not standardized yet and there are several technical possibilities to implement this, e.g. SSCN (Set Secured Client Negotiation). Thanks to FTP over SSL, it is possible to encrypt an FTP transfer even in passive mode (i.e., the server establishes the connection to the client). In active mode, there are two variants: Usually, the "Implicit SSL" variant is used, where the control channel is encrypted immediately when the connection is established, instead of requiring an unencrypted "AUTH SSL"/"AUTH TLS" command first as in the "Explicit SSL" variant.
SSH File Transfer Protocol (SFTP in short) is an enhancement of SCP (Secure Copy, a program and protocol for encrypted file exchanges) which allows more file operations than its predecessor. SFTP should not be mistaken with Secure FTP or FTP over SSL. It is a completely newly developed protocol for file transfers and is not – even if the name suggests otherwise – based on FTP. Rather, it constitutes an emulation of FTP, so that all the established functions and commands can be used. SFTP offers authentication of user and server and encryption of the transferred data.
SFTP compared to FTPS
The largest difference between FTPS and SFTP is that FTPS is real FTP in the application layer over an SSL or TLS protocol in the transport layer, while SFTP is an SSH-subsystem in the application layer which just offers a service that is similar to FTP in that the same commands are used. The protocol itself is based on SSH (the Secure Shell protocol). One large advantage of SFTP is that it is easier to use through NAT gateways than FTPS.
The Secure File Transfer Protocol (Secure FTP) is a network protocol for file transfers over TCP/IP networks which partly tunnels a file transfer over an SSH connection. In FTP, commands such as the authentication of a client on an FTP server, directory changes and listings are done over the control channel on port 21. In Secure FTP, this connection is tunneled over SSH and is as such encrypted. The actual file transfers take place over the data channel on some other, random port, where the connection is not tunneled over SSH and remains unencrypted. If the client is configured to use passive mode and a SOCKS proxy server, which many SSH clients provide, all FTP channels can be routed over the SSH connection. Secure FTP should not be mistaken with the SFTP protocol, which is not really based on FTP but on SCP.
Active Mode and Passive Mode
In Active Mode, the server establishes a data connection from its port 20 to a host and port requested by the client. The host is usually the client itself and the port is a client port which has been opened for the connection, usually a port beyond 1023. However, the client can also instruct the server to connect to another server which is in passive mode, i.e. has opened a port and awaits a connection. This technique of a server-to-server connection is called FXP. Control commands are sent over port 21. That commands and data are sent over two different connections (channels) ensures that client and server can still communicate with each other even during file transfers. This is also called an "Out of Band" control.
In Passive Mode, the client sends the server a command requesting passive mode, the server opens a port for the client and sends a reply
signaling that it is ready to accept a connection, and the client establishes a connection to that port. Usually, both sides use a port beyond 1023 for that. This technique is used if the client cannot be contacted by the server, for example if it is behind a router, which changes the client's IP address via NAT, or behind a firewall which restricts access to the client from outside the network.