Manage Learn to apply best practices and optimize your operations.

Does FTPS encrypt data packets at the hardware or software level?

If you need to implement FTPS, which delivers a lot of data securely to a server, it might be worth investigating partial or complete hardware acceleration of the crypto-processing. Platform security expert Michael Cobb explains why.

I have a question regarding SSL/TLS, and specifically the FTPS protocol. Under normal circumstances, when data packets are sent or retrieved by the client, are the packets encrypted at the hardware or the software level, and why does it matter?
The short answer is that the data packets are usually encrypted at the software level, which is probably better than encrypting them at the hardware level. To explain, we must first be clear about this crypto-flavored alphabet soup.

SSL stands for Secure Sockets Layer, a transportation layer protocol that provides endpoint authentication and communication secrecy over networks in general, the Internet in particular. TLS stands for Transport Layer Security, the name given to an Internet standard based on SSL. The current version of SSL is 3.0, and the current version of TLS is 1.1. It is common to use SSL/TLS to cover all of them.

FTPS is commonly referred to as FTP/SSL and covers a variety of methods by which File Transfer Protocol software can leverage SSL/TLS to perform secure file transfers. Each method uses an SSL/TLS layer below the standard FTP protocol to encrypt the control and/or the data channels. FTPS, by the way, is distinguished from SSH file transfer protocol (SFTP), which is FTP over SSH.

There are three basic parts to TLS:
---The initial negotiation of algorithm support in which the choice of symmetric cipher to be used in the data encryption is made
--- The key exchange between (and authentication of) the two machines that are communicating
--- The symmetric cipher encryption and message authentication

In other words, a lot happens in TLS before getting to the bulk encryption of the data being exchanged between the two parties. In fact, the key exchange and authentication, which use public key cryptography, are the most computationally burdensome parts of the whole transaction. And that is where the hardware comes in.

In the late nineties, the rapid growth of SSL as a means of doing secure Web transactions threatened to swamp Web servers with the effort of doing all the public key computations. Crypto-hardware companies like Rainbow Technologies (now a part of SafeNet Inc.) developed SSL accelerators, co-processor boards that could be plugged into Web servers. These dedicated processors handled the SSL public key computations and delivered the symmetric keys to the server for the bulk data encryption part of the transaction. Other accelerator designs actually perform the bulk data encryption as well, taking the full strain of the crypto and delivering cleartext to the server.

If you need to implement FTPS, which delivers a lot of data securely to a server, it might be worth investigating partial or complete hardware acceleration of the crypto-processing. Chances are, however, that this will involve handling a lot of data -- and a large number of simultaneous connections -- for the acceleration to offer worthwhile advantages over a software-only approach. And it is hard to think why a hardware method would be inherently more secure in this scenario than a software-only one. Remember, to gain all of the security benefits of TLS, both the client as well as the server should be using digital certificates. And, as with any other crypto system, the most likely point of failure is not the crypto itself, but the way it is implemented.

More information:

  • A SearchSecurity.com reader asks Michael Cobb, "Which Internet protocol is more secure: FTPS or SCP?"
  • See how companies are plugging FTP holes with secure FTP servers.
  • This was last published in March 2008

    Dig Deeper on Data security strategies and governance

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.