SSH Encryption

<< Click to Display Table of Contents >>

Navigation:  Robo-FTP Server > Introducing Robo-FTP Server > Supported Encryption Technologies >

SSH Encryption

 

SFTP stands for "SSH File Transfer Protocol." Like its name suggests, it is a file transfer protocol (similar to FTP) that operates inside an SSH (secure shell) session. The SSH protocol, and by extension Robo-FTP's implementation of SSH/SFTP, offers a number of encryption and encryption-related features to ensure the security of your data. When an initial connection is established to the server, both client and server must agree to use the same ciphers and algorithms.

 

 

Key Exchange

 

After a network connection is established, the first thing both client and server do is compute a shared secret value by exchange of certain data.  This is referred to as "key exchange". While the details of individual key exchange algorithms are outside the scope of this document, it may be helpful for a server administrator to be aware of the various supported key exchange algorithms. Robo-FTP Server supports the following key exchange methods:

 

diffie-hellman-group18-sha512

diffie-hellman-group16-sha512

diffie-hellman-group-exchange-sha256

diffie-hellman-group14-sha1

diffie-hellman-group1-sha1

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

 

 

 

SSH Host Keys

 

After the key exchange algorithm has been agreed upon, the server sends its public SSH host key to the connecting client, along with a special message encrypted with the corresponding private key. The message can then only be decrypted with the public key. Using this host key and message, the client can verify the identity of the server, as well as confirm that the server to which the host key belongs is the same server with which it just performed the key exchange, thereby thwarting certain classes of man-in-the middle attacks. The SSH protocol permits several different types of server host keys. Robo-FTP Server supports the following host key algorithms and bit sizes:

 

RSA (1024-, 2048-, and 4096-bit keys)

DSA (1024-, 2048-, and 4096-bit keys)

ECDSA (256-, 384-, and 521-bit keys)

 

 

 

Symmetric Ciphers

 

The next step is for both client and server to agree upon a symmetric cipher which will be used to encrypt data transferred over the connection.  Robo-FTP Server supports the following symmetric ciphers over SSH:

 

3des-cbc

aes128-ctr

aes192-ctr

aes256-ctr

blowfish-cbc

[email protected]

 

 

 

 

HMACs

 

Finally, the client and server must agree upon an HMAC (hash message authentication code) algorithm. The HMAC itself is used to verify that data received from the client truly originated from that client, and that data received from the server truly originated from that server (and not an eavesdropper).  The HMAC also allows each recipient to verify that each message has not been tampered with. Robo-FTP Server supports the following HMAC algorithms over SSH:

 

hmac-md5

hmac-sha1

hmac-sha2-256

hmac-sha2-512