SSH Encryption

SFTP stands for "SSH File Transfer Protocol." Like its name suggests, it is a file transfer protocol (similar to FTP) that operates inside an SSH (secure shell) session. The SSH protocol, and by extension Robo-FTP's implementation of SSH/SFTP, offers a number of encryption and encryption-related features to ensure the security of your data. When an initial connection is established to the server, both client and server must agree to use the same ciphers and algorithms.

Key Exchange

After a network connection is established, the first thing both client and server do is compute a shared secret value by exchange of certain data.  This is referred to as "key exchange". While the details of individual key exchange algorithms are outside the scope of this document, it may be helpful for a server administrator to be aware of the various supported key exchange algorithms. Robo-FTP Server supports the following 3 key exchange methods:

SSH Host Keys

After the key exchange algorithm has been agreed upon, the server sends its public SSH host key to the connecting client, along with a special message encrypted with the corresponding private key. The message can then only be decrypted with the public key. Using this host key and message, the client can verify the identity of the server, as well as confirm that the server to which the host key belongs is the same server with which it just performed the key exchange, thereby thwarting certain classes of man-in-the middle attacks. The SSH protocol permits several different types of server host keys. Robo-FTP Server supports the following host key algorithms and bit sizes:

Symmetric Ciphers

The next step is for both client and server to agree upon a symmetric cipher which will be used to encrypt data transferred over the connection.  Robo-FTP Server supports the following symmetric ciphers over SSH:

HMACs

Finally, the client and server must agree upon an HMAC (hash message authentication code) algorithm. The HMAC itself is used to verify that data received from the client truly originated from that client, and that data received from the server truly originated from that server (and not an eavesdropper).  The HMAC also allows each recipient to verify that each message has not been tampered with. Robo-FTP Server supports the following HMAC algorithms over SSH: