9.1. Supported Cryptographic Standards¶
This page describes the cryptography method, protocols, and algorithms supported by SFTPPlus.
SFTPPlus provides an easy configuration option for both the ssl_cipher_list and ssl_cipher_list with the value secure
This will keep the list of accepted cryptographic methods up to date with modern security practices.
When using the secure configuration option for an SSL/TLS/SFTP/SCP client and server-side transfer, the list of accepted ciphers might change between SFTPPlus or OpenSSL upgrades.
Connections which are using cryptography which is no longer considers secured will stop working between such updates.
If you are concerned about legacy connections and don't want to disturb existing transfers between updates, even when they are using weak encryption, don't use the secure value. Instead, configure an explicit list of ciphers. In this way, the configuration will stay the same between SFTPPlus updates.
The secure file transfer services implemented in FTPS and HTTPS are based on the Transport Layer Security (TLS) protocol, which is the successor of the Secure Sockets Layer (SSL) protocol.
When using the secure value for the ssl_cipher_list, the following algorithms are enabled:
This list provides maximum compatibility with existing deployments and does not contain ciphers which are considered weak.
SFTPPlus uses the OpenSSL library provided by the operating system, with some exceptions, most notably Windows and generic Linux. The OpenSSL version included in your operating system might not provide all the ciphers which are required by older SSL/TLS versions of the standard. This is valid especially for cryptographic methods which in recent years were discovered to no longer be secured. For example, SSLv3 is no longer provided at all. While 3DES was considered secure at the beginning of 2016, in August 2016 it was discovered that it is vulnerable to the SWEET32 attack. Therefore, 3DES support is no longer included with latest updates for most operating systems.
To verify the list of ciphers available for your operating system use:
openssl ciphers -V
SSL v3 (considered not secure)
TLS v1.1 (for OpenSSL 1.0.1 or newer)
TLS v1.2 (for OpenSSL 1.0.1 or newer)
TLS v1.3 (for OpenSSL 1.1.1 or newer)
SSL version 2 is not supported. It was officially deprecated in 2011 by the RFC 6176.
SSL version 3 is supported only to provide backward compatibility for older clients, but it is not recommended for new deployments. It was officially deprecated in June 2015 by the RFC 7568.
The Microsoft Windows operating system is distributed without including OpenSSL libraries or a compatible alternative. On Windows, SFTPPlus uses embedded OpenSSL 1.1.1 libraries. Please keep your SFTPPlus deployments on Windows always updated, to benefit from upstream security updates for the bundled OpenSSL libraries.
Modern Linux distributions are distributed with OpenSSL version 1.1.1 or newer. On supported Linux distributions, SFTPPlus makes use of these system libraries. Please keep system OpenSSL libraries always up to date through your system updates, to benefit from upstream security updates.
The generic Linux version of SFTPPlus uses embedded OpenSSL 1.1.1 libraries. Please keep your generic Linux SFTPPlus deployments always updated, to benefit from upstream security updates for the bundled OpenSSL libraries.
The macOS operating system includes OpenSSL-compatible LibreSSL libraries starting with version 10.13 High Sierra, but their support for latest cryptographic standards is lacking on some versions of macOS. On macOS, SFTPPlus uses embedded OpenSSL 1.1.1 libraries. Please keep your SFTPPlus deployments on macOS always updated, to benefit from upstream security updates for the bundled OpenSSL libraries.
The above list is not comprehensive and comes with no guarantee. Please check with email@example.com for further info.
Last updated for release 4.11.0 on April 6, 2021.
TLS / X.509 certificates and keys can be stored and read by SFTPPlus in the following formats:
PKCS #8 / PEM
PKCS #12 / PFX
DSS/DSA key support is provided for backward compatibility.
Newer deployments should be based on RSA, use a key size of 4096 or greater.
DSS/DSA key support is scheduled to be removed/deprecated with the future release of TLS v1.3.
SHA-1 (FIPS 140-2 compatible)
SHA-2 (for OpenSSL 0.9.8 or newer) (FIPS 140-2 compatible)
All modern operating systems, still supported by their vendors, provide newer versions of OpenSSL with support for SHA-2.
3DES (FIPS 140-2 compatible, vulnerable to SWEET32 attacks)
AES 128 and AES 256 (FIPS 140-2 compatible)
Only SSH version 2 is supported.
SFTP is implemented based on draft version 3.
SCP is not a standard protocol, therefore it was implemented based on the public source code of OpenSSH's implementation.
When using the secure value for the ssh_cipher_list, the following algorithms are enabled. These are listed below according to preference:
# Ciphers aes256-ctr aes192-ctr aes128-ctr # MACs # SHA1 and MD5 might look weak, but the way they are used in SSH # does not allow for the possibility of a collision attack. hmac-sha2-256 hmac-sha2-512 hmac-sha1 # Key Exchanges # See RFC for current recommendation (check updates). # This is based on: # https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html curve25519-sha256 (with OpneSSL 1.1.1 or newer) firstname.lastname@example.org (with OpneSSL 1.1.1 or newer) ecdh-sha2-nistp521 ecdh-sha2-nistp384 ecdh-sha2-nistp256 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 diffie-hellman-group18-sha512 diffie-hellman-group17-sha512 diffie-hellman-group16-sha512 diffie-hellman-group15-sha512 diffie-hellman-group14-sha256 diffie-hellman-group14-sha1
This list provides maximum compatibility with existing deployments and does not contain ciphers which are considered weak.
Here is the list of supported public-key cryptographic systems ordered by SFTPPlus' preference during the negotiation phase:
Ed25519 (with OpenSSL 1.1.1 or newer)
ECDSA (ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521)
Newer deployments should use Ed25519 when available, or RSA with a key size of at least 4096.
Here is the list of supported SSH key exchanges, ordered on the preference of SFTPPlus during the negotiation phase:
diffie-hellman-group-exchange-sha256 (FIPS 140-2 compatible)
diffie-hellman-group-exchange-sha1 (FIPS 140-2 compatible)
diffie-hellman-group14-sha1 (FIPS 140-2 compatible)
diffie-hellman-group1-sha1 (FIPS 140-2 compatible, but no longer considered secure to modern standards)
diffie-hellman-group14-sha256 (RFC 8268 for transition to newer group sizes)
The fixed group prime numbers are the one specified in RFC3526.
Here is the list of supported HMAC, ordered on the preference of SFTPPlus during the negotiation phase:
hmac-sha2-512 (FIPS 140-2 compatible)
hmac-sha2-256 (FIPS 140-2 compatible)
hmac-sha1 (FIPS 140-2 compatible)
Here is the list of supported symmetric encryption algorithms, ordered on the preference of SFTPPlus during the negotiation phase:
aes256-ctr, aes256-cbc, aes192-ctr, aes192-cbc, aes128-ctr, aes128-cbc (FIPS 140-2 compatible)
3des-ctr, 3des-cbc (FIPS 140-2 compatible, vulnerable to SWEET32 attacks)
SFTPPlus can transfer files using the AS2 protocol as defined in the RFC 4130 <https://tools.ietf.org/html/rfc4130> MIME-Based Secure Peer-to-Peer Business Data Interchange Using HTTP, Applicability Statement 2 (AS2) standard.
Signing and encrypting AS2 messages is implemented as defined in the RFC 5652 <https://tools.ietf.org/html/rfc5652> Cryptographic Message Syntax (CMS) standard.
Signing and verifying Message Disposition Notification (MDN) is implemented as defined in the RFC 5652 <https://tools.ietf.org/html/rfc3798> standard.
Asynchronous MDN is not yet supported. It will be available in a future version.
Only the RSA asymmetric algorithm is supported. If you need support for DSA or ECDSA get in touch with our support team.
The following digest algorithms are supported:
Messages are signed using the PCKS#1 v1.5 (rsassa_pkcs1v15) padding. PCKS#1 v2.1 (rsassa_pss) Probabilistic Signature Scheme (PSS) padding is not yet supported.
The following symmetric encryption algorithm are supported, all using PKCS7 padding and cipher block chaining (CBC) mode:
When setting up an AS2 transfer both your organization and your remote partner will have a set of private keys and public certificates.
You should never share your private key with your remote partner. No AS2 operation on your partner remote AS2 sending service needs the private key of your organization. Only your public certificate should be shared with your partner.
You will never need the private key of your partner. Only the public partner certificate is needed. No AS2 operation insider your SFTPPlus AS2 receiving service needs the private key of your partner.
The OpenPGP encryption, as defined in RFC 2440 and RFC 4880, provides a standard for encrypting and signing data and files. PGP encrypted files can be transferred over any standard file transfer protocol.
OpenPGP support in SFTPPlus is based on GnuPG version 1.4.
PGP is not supported on Alpine Linux.
RSA (RSA-E, RSA-S)
The Time-Based One-Time Password (TOTP) authentication method adds an extra layer of security on top of the usual username/password credentials.
A unique code valid for a limited number of seconds is used for validation.
The code is generated using helper applications like Google Authenticator or FreeOTP.
To use a unique password per session, this unique code has to be added at the end of the regular password. By appending the unique code to the regular password, the new method of authentication is still compatible with the traditional username and password authentication system. No extra changes are required for the file transfer client.
Once a unique TOTP code is used to authenticate successfully, it is no longer valid. This prevents replay attacks. Therefore, FTPS clients using concurrent connections will not be able to open a second connection using the same password and TOTP credentials. If your FTPS client cannot ask for new credentials for every connection, you should configure it to not open more than one connection at a time to a SFTPPPlus FTPS server requiring TOTP authentication. Please contact the Pro:Atria Support team if you need help with this.
SFTPPlus supports the TOTP algorithm as defined in RFC 6238
The following parameters are supported: * 6 digits * 30 seconds interval * SHA1
Two-factor authentication will succeed as long as the received token is within one time step of 30 seconds (+/- 30s).
If using the Authy authentication application you might observe that the authentication still works, even when the server and the client clocks are out of sync. This is because Authy is not using the phone clock. It uses an external clock to generate the code.
Authenticating twice with the same multi-factor authentication token will fail. This prevents replay attacks.
By itself, TOTP-based authentication is vulnerable to brute-force attacks. If you want more protection against attackers with stealed passwords, it is highly recommended to enable the Ban IP for a time interval authentication method. Brute-force mitigation is enabled by default in new SFTPPlus installations. If you are upgrading from an older version, make sure to enable it.
For file transfer services, SFTPPlus receives passwords from remote clients and forwards them to the configured authentication method.
SFTPPlus has its own user database ready to use as a standalone solution for authenticating users based on username and password credentials.
Usernames longer than 150 characters are not allowed.
Passwords longer than 150 characters are not allowed at all by SFTPPlus. The limit applies to both SFTPPlus accounts and accounts authenticated via OS, LDAP, HTTP API, or other methods.
These limits prevent denial of service attacks, and mitigate other types of attacks.
We recommend using passwords no longer than 128 characters. This allows using TOTP and other multi-factor authentication methods on top of an existing password.
Please contact us if you need longer passwords.
The password for the file transfer accounts and administrator accounts managed by SFTPPlus are stored using a standard password hash algorithm. They are not stored in clear text.
The SHA512-Crypt password hash algorithm is used by default.
The modular crypt format is a loose standard for password hash strings which started life under the Unix operating system.
The basic format is PREFIX + HASH. For example, a PBKDF2 password with a salt of 8 characters:
It has also been adopted by a number of application-specific hash algorithms used outside of the Unix/Linux operating systems.
SFTPPlus support the following password hash standards with the corresponding modular prefixes / Scheme ID:
crypt-sha512 - prefix $5$ - Standard Unix SHA-512 Crypt
crypt-sha256 - prefix $6$ - Standard Unix SHA-256 Crypt
pbkdf2_sha256 - prefix $pbkdf2-sha256$ - RSA PKCS#5 based on SHA-512
pbkdf2_sha512 - prefix $pbkdf2-sha512$ - RSA PKCS#5 based on SHA-512
All variants are publicly documented and widely reviewed algorithms.
The PBKDF2 (Password-Based Key Derivation Function 2) key derivation function is standardized in RFC 8018 <https://tools.ietf.org/html/rfc8018> as part of the RSA Lab PKCS #5 Password-Based Cryptography Specification Version 2.1 document. RFC 2898 is an older version of the same standard.
SFTPPlus does not have vendor certification for FIPS 140-2 compliance.