Setting SFTP Algorithms On Your SFTP Server

Covers the basics of SFTP server settings of algorithms for key exchanges, ciphers, MACs, and compressions

  1. Blog

Overview

In this post, we'll talk about the algorithms included in a typical SFTP server and explain their basic functions. We'll cover algorithms for key exchanges, ciphers, MACs, and compressions. After that, we'll dive into the JSCAPE MFT Server Manager Web GUI and show you where you can configure those SFTP algorithms there.

Having a basic understanding of these algorithms and knowing where to configure them will enable you to strengthen your SFTP server's security or troubleshoot certain client connection issues.

Note: SFTP runs on SSH and the algorithms you'll be setting are actually SSH algorithms.

What we'd like to do

sftp_algorithms

Key exchanges, ciphers, MACs, and compressions

Whenever you send sensitive files over an insecure network like the Internet, you might want to make sure that:

1. Your data stays confidential throughout the transmission. You wouldn't want valuable or sensitive information such as PII (personally indentifiable information), trade secrets, customer lists, key employee salaries, marketing strategies, source codes, etc. fall into the wrong hands.

2. Data integrity is upheld, i.e., it remains unchanged or if ever it does undergo even the slightest accidental or intentional changes, that you have a way of knowing.

3. You are able to verify the authenticity of its source. You will want to make sure it really came from the party who you were expecting to be the sender (and not from an impostor).

That's why SFTP is very suitable for transmitting sensitive files. It already comes with algorithms that help address these concerns.

For instance, to preserve confidentiality during transmission, SFTP provides data-in-motion encryption. The various algorithms used for this purpose are called ciphers.

To perform data integrity checks and discover possible modifications in the data, SFTP uses what are known as Message Authentication Codes or MACs. The algorithms designed for this security mechanism are aptly called MAC algorithms.

Like data integrity checks, authenticity checks are also carried out using MACs. So once again, the algorithms used in these kinds of tasks are the MAC algorithms.

In addition to those two algorithms already mentioned (i.e., ciphers and MAC algorithms), SFTP has two more that also play important roles in SFTP transmissions. They are the:

Compression algorithms - These are algorithms responsible for compressing files before transmission. Compression reduces the size of (compressible) files and in turn improves transmission times. Compression also adds another important benefit. It increases the entropy of the data, which consequently makes it more resistant to certain cryptanalysis attacks.

Key exchange algorithms - These algorithms are responsible for establishing secure methods of exchange for the symmetric keys needed during encryption.

Basically, configuring these in your SFTP server simply entails going into the Algorithms module and selecting the algorithms you want to enable.

Then when a user connects to your server, that user's SFTP client and your SFTP server will first negotiate which algorithms to use during the SFTP session. Whatever they arrive at would depend on the algorithms supported by the client and those algorithms you've enabled. If you haven't enabled certain algorithms on the server and they're the only algorithms the client supports, the client will have problems connecting.

So why then shouldn't you simply enable all algorithms? The answer is this: certain algorithms are more secure than others. If you want to your SFTP sessions to be highly secure, then you will have to force your sessions to employ only the most secure algorithms. We will be comparing algorithms in a future post, so stay tuned for that.

Remember however that in doing so, you may encounter interoperability issues with legacy SFTP clients (which unerstandably only support older, less secure algorithms). In other words, users with legacy SFTP clients might not be able to connect.

Now that you have a basic understanding of the various SFTP algorithms, it's time to walk you through the process of setting them up on your SFTP server. Launch your JSCAPE MFT Server Manager now and follow the instructions below.

1. Open the Algorithms module.

To do that, go to the Services module, navigate to the SFTP/SCP tab, and then click the Algorithms button.

01-sftp-algorithms

2. Select Key Exchange algorithms

The first set of algorithms you'll be able to modify is the Key Exchanges algorithms. Some of the supported Key Exchange algorithms are the:

diffie-hellman-group1-sha1

diffie-hellman-group14-sha1

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256

Tick the check box of the Key Exchange algorithm(s) you want to enable and then click the OK button.

02-sftp-key-exchange-algorithms

3. Select Ciphers

The next set of algorithms you may want to set are the ciphers. Some supported ciphers include the following:

3des-cbc twofish192-cbc aes128-ctr idea-cbc
3des-ctr twofish192-ctr serpent256-cbc idea-ctr
blowfish-cbc aes256-cbc serpent256-ctr cast128-cbc
blowfish-ctr aes256-ctr serpent192-cbc cast128-ctr
twofish-cbc aes192-cbc serpent192-ctr arcfour256
twofish256-cbc aes192-ctr serpent128-cbc arcfour128
twofish256-ctr aes128-cbc serpent128-ctr arcfour

Tick the check box of the cipher you want to enable and then click the OK button.

03-sftp-cipher-algorithms

4. Select MAC algorithms

Some supported MACs include:

hmac-sha1 hmac-md5 hmac-sha2-256 hmac-sha2-512
hmac-sha1-96 hmac-md5-96 hmac-sha2-256-96 hmac-sha2-512-96

04-sftp-mac-message-authentication-code

5. Select Compression algorithms

As of this writing, the supported compression is zlib, a widely used compression algorithm.

05-sftp-compression

6. Apply the changes

As soon as you're done making those changes and are back at the SFTP/SCP tab, click the Apply button.

06-apply-sftp-algorithm

That's all there is to it!

Other relevant articles you might find interesting

What is an SFTP Key

Setting Up An SFTP Server

Using SFTP on the Command Line

Recommended download

Still haven't tried JSCAPE MFT Server? Download the free evaluation edition now.

Download JSCAPE MFT Server Trial