SSH Encryption

<< Click to Display Table of Contents >>

Navigation:  Robo-FTP Server > Introducing Robo-FTP Server > Supported Encryption Technologies >

SSH Encryption

 

SFTP stands for "SSH File Transfer Protocol." Like its name suggests, it is a file transfer protocol (similar to FTP) that operates inside an SSH (secure shell) session. The SSH protocol, and by extension Robo-FTP's implementation of SSH/SFTP, offers a number of encryption and encryption-related features to ensure the security of your data. When an initial connection is established to the server, both client and server must agree to use the same ciphers and algorithms.

 

 

Key Exchange

 

After a network connection is established, the first thing both client and server do is compute a shared secret value by exchange of certain data.  This is referred to as "key exchange". While the details of individual key exchange algorithms are outside the scope of this document, it may be helpful for a server administrator to be aware of the various supported key exchange algorithms. Robo-FTP Server supports the following key exchange methods:

 

Default Mode:

 

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

diffie-hellman-group18-sha512

diffie-hellman-group16-sha512

diffie-hellman-group-exchange-sha256

diffie-hellman-group14-sha1

diffie-hellman-group1-sha1

 

High Security Mode:

 

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

diffie-hellman-group18-sha512

diffie-hellman-group16-sha512

diffie-hellman-group-exchange-sha256

 

 

SSH Host Key Algorithms:

 

After the key exchange algorithm has been agreed upon, the server sends its public SSH host key to the connecting client, along with a special message encrypted with the corresponding private key. The message can then only be decrypted with the public key. Using this host key and message, the client can verify the identity of the server, as well as confirm that the server to which the host key belongs is the same server with which it just performed the key exchange, thereby thwarting certain classes of man-in-the middle attacks. The SSH protocol permits several different types of server host algorithms.

 

Default Mode:

 

ecdsa-sha2-nistp384

rsa-sha2-512

rsa-sha2-256

ssh-rsa

 

High Security Mode:

 

ecdsa-sha2-nistp384

rsa-sha2-512

rsa-sha2-256

ssh-rsa

 

 

SSH Host Keys

 

Robo-FTP Server supports the following host keys and bit sizes:

 

RSA (1024-, 2048-, and 4096-bit keys)

DSA (1024-, 2048-, and 4096-bit keys)

ECDSA (256-, 384-, and 521-bit keys)

 

 

 

Symmetric Ciphers

 

The next step is for both client and server to agree upon a symmetric cipher which will be used to encrypt data transferred over the connection.  Robo-FTP Server supports the following symmetric ciphers over SSH:

 

Default Mode:

 

[email protected]

aes128-ctr

aes192-ctr

aes256-ctr

blowfish-cbc

3des-cbc

 

High Security Mode:

 

[email protected]

aes256-ctr

aes192-ctr

aes128-ctr

 

 

HMACs

 

Finally, the client and server must agree upon an HMAC (hash message authentication code) algorithm. The HMAC itself is used to verify that data received from the client truly originated from that client, and that data received from the server truly originated from that server (and not an eavesdropper).  The HMAC also allows each recipient to verify that each message has not been tampered with. Robo-FTP Server supports the following HMAC algorithms over SSH:

 

Default Mode:

 

hmac-sha2-256

hmac-sha2-512

hmac-sha1

hmac-md5        

 

High Security Mode:

 

hmac-sha2-256

hmac-sha2-512