SFTPPlus Documentation
8.1. Supported Cryptography¶
This page describes the cryptography method, protocols, and algorithms supported by SFTPPlus.
SFTPPlus provides an easy configuration option for both the ssl_cipher_list and ssl_cipher_list with the value secure
This will keep the list of accepted cryptographic methods up to date with modern security practices.
When using the secure configuration option for a SSL/TLS/SFTP/SCP client and server side transfer, the list of accepted ciphers might change between SFTPPlus or OpenSSL upgrades.
Connections which are using cryptography which is no longer considers secured will stop working between such updates.
Note
If you are concerned about legacy connections and don’t want to disturb existing transfers between updates, even when they are using weak encryption, don’t use the secure value. Instead configure an explicit list of ciphers. In this way the configuration will stay the same between SFTPPlus updates.
8.1.1. SSL/TLS protocol family¶
The secure file transfer services implemented in FTPS and HTTPS are based on the Transport Layer Security (TLS) protocol, which is the successor of the Secure Sockets Layer (SSL) protocol.
8.1.1.1. Default secure SSL/SLS configuration¶
When using the secure value for the ssl_cipher_list, the following algorithms are enabled:
HIGH:!PSK:!RSP:!eNULL:!aNULL:!RC4:!MD5:!DES:!3DES:!aDH:!kDH:!DSS
This list provides maximum compatibility with existing deployments and does not contain ciphers which are considered weak.
SFTPPlus (with the exception of Windows) used the OpenSSL library provided by the operating system. The version of OpenSSL provided by your operating system might not provided all the ciphers which are required by older SSL/TLS versions of the standard. This is valid especially for cryptographic methods which in recent years were discovered to no longer be secured. For example, SSLv3 is no longer provided at all and while 3DES was considered secured at the beginning of 2016, in August 2016 it was discovered that it is vulnerable to SWEET32 and is no longer provided by latest updates of the operating systems.
To verify the list of ciphers available for your operating system use:
openssl ciphers -V
8.1.1.2. SSL/TLS versions¶
- SSL v3 (considered not secure)
- TLS v1.0
- TLS v1.1 (for OpenSSL 1.0.1 or newer)
- TLS v1.2 (for OpenSSL 1.0.1 or newer)
Note
SSL version 2 is not supported and it was officially deprecated in 2011 by the RFC 6176.
SSL version 3 is supported in order to provide backward compatibility for older clients, but it is not recommended for new deployments. It was officially deprecated in June 2015 by the RFC 7568.
8.1.1.3. OpenSSL versions available in most popular operating systems¶
Modern Unix and Linux versions are distributed with OpenSSL version 1.0.1 or newer.
Windows is distributed my Microsoft without OpenSSL. SFTPPlus for Windows is distributed with embedded OpenSSL 1.1.0h.
For macOS Sierra, SFTPPlus is built to use the OpenSSL 1.0.2 version that is provided by the Homebrew community. This adds SHA2 and TLSv1.2 support, since the version provided by Apple is OpenSSL 0.9.8.
For SUSE Linux Enterprise Server version 11, we support the SUSE Linux Enterprise 11 Security Module, which provides OpenSSL 1.0.1. This adds SHA2 and TLSv1.2 support, since the version provided by the base system is 0.9.8.
On AIX we support only the newer OpenSSL 1.0.1.
On FreeBSD we support only OpenSSL 1.0.1 provided as part of the base system. The OpenSSL version available with the FreeBSD ports is not supported.
The OpenSSL version distributed with SLES 12 advertises that it supports Elliptic Curve Diffie-Hellman (ECDH) as part of Elliptic Curve Cryptography (ECC). However, in the SLES 12 version tested by ProAtria, there is a defect and ECDH is not usable.
For older operating systems, we provide for your convenience a list of the OpenSSL versions offered by the OS vendors. This list is not comprehensive and comes with no guarantee. Last updated on July 3, 2017.
- OS X 10.8 or newer with Apple OpenSSL 0.9.8r
- SLES 11 - OpenSSL 0.9.8j-fips (OpenSSL 1.0.1 available with the Security Module)
- Solaris 10 - OpenSSL 0.9.7d
- AIX 5.3, AIX 6.1 and AIX 7.1 - Both OpenSSL 0.9.8 and OpenSSL 1.0.1 are provided by IBM.
8.1.1.4. Public-key cryptographic systems¶
- DSS/DSA
- RSA
Note
DSS/DSA key support is provided for backward compatibility.
Newer deployments should be based on RSA, use key size of 4096 or greater.
DSS/DSA key support is scheduled to be removed/deprecated with the future release of TLS v1.3.
8.1.1.5. Hash functions¶
- MD5
- SHA-1 (FIPS 140-2 compatible)
- SHA-2 (for OpenSSL 0.9.8 or newer) (FIPS 140-2 compatible)
Note
All modern operating systems, still supported by their vendors, provide newer versions of OpenSSL with support for SHA-2. We are aware of Solaris 10 which does not have SHA-2 support.
8.1.1.6. Encryption algorithms¶
- 3DES (FIPS 140-2 compatible, vulnerable to SWEET32 attacks)
- AES 128 and AES 256 (FIPS 140-2 compatible)
- RC4
- Blowfish
8.1.2. SSH protocol family¶
Only SSH version 2 is supported.
SFTP is implemented based on draft version 3.
SCP is not a standard protocol, therefore it was implemented based on the public source code of OpenSSH’s implementation.
8.1.2.1. Default SFTP/SCP secure configuration¶
When using the secure value for the ssh_cipher_list, the following algorithms are enabled. These are listed below according to preference.
This list provides maximum compatibility with existing deployments and does not contain ciphers which are considered weak.
8.1.2.1.1. Ciphers¶
3DES is disabled due to SWEET32 attack:
- aes256-cbc aes256-ctr
- aes192-cbc aes192-ctr
- aes128-cbc aes128-ctr
8.1.2.1.2. HMACs¶
SHA1 and MD5 might have higher collision probabilities, but the way they are used in SSH does not allow the possibility for a collision attack.
- hmac-sha2-256
- hmac-sha1
- hmac-md5
8.1.2.1.3. Key Exchanges¶
Based on the IETF recommendation on the set of key exchange methods for use in the Secure Shell (SSH) protocol:
- diffie-hellman-group-exchange-sha256
- diffie-hellman-group14-sha1
8.1.2.2. Public-key cryptographic systems¶
Here is the list of supported public-key cryptographic systems, ordered on the preference of SFTPPlus during the negotiation phase:
- RSA
- DSS/DSA
Warning
Newer deployments should be based on RSA with key size of 4096 or greater.
8.1.2.3. SSH Key Exchange¶
Here is the list of supported SSH key exchanges, ordered on the preference of SFTPPlus during the negotiation phase:
- diffie-hellman-group-exchange-sha256 (FIPS 140-2 compatible)
- diffie-hellman-group-exchange-sha1 (FIPS 140-2 compatible)
- diffie-hellman-group14-sha1 (FIPS 140-2 compatible)
- diffie-hellman-group1-sha1 (FIPS 140-2 compatible, but no longer considered secure to modern standards)
8.1.2.4. Keyed-hash message authentication code (HMAC)¶
Here is the list of supported HMAC, ordered on the preference of SFTPPlus during the negotiation phase:
- hmac-sha2-256 (FIPS 140-2 compatible)
- hmac-sha1 (FIPS 140-2 compatible)
- hmac-md5
8.1.2.5. Symmetric encryption algorithms¶
Here is the list of supported symmetric encryption algorithms, ordered on the preference of SFTPPlus during the negotiation phase:
- aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc (FIPS 140-2 compatible)
- cast128-ctr, cast128-cbc
- blowfish-ctr, blowfish-cbc
- 3des-ctr, 3des-cbc (FIPS 140-2 compatible, vulnerable to SWEET32 attacks)
8.1.3. FIPS 140-2¶
SFTPPlus does not have vendor certification for FIPS 140-2 compliance.