Data connection security level (SECURE_DATACONN)
This setting is used to indicate the level of security used on data connections and applies to both TLS and
Kerberos.
Terminology
Definitions for terms used on the page.
- Integrity protected, data integrity, or data authentication
- Indicates an algorithm is applied to the data being transferred, which modifies the data such that
the receiving program can verify the data was not modified or changed during the transfer.
- Privacy protected
- Indicates an algorithm is applied to the data being transferred which encrypts or scrambles the data such that
only the receiving program can use a special key to decrypt or unscramble the data to its original format.
The original data cannot be seen or interpreted while the data is in transit.
- Raw
- Indicates data is transmitted without being modified by any encryption or data integrity algorithms.
- Encipher or cipher algorithm
- Data being transferred is encrypted, integrity protected, or both. This term does not imply which
algorithm is used and does not imply the data is encrypted.
There are differences between TLS and Kerberos.
For TLS, system SSL services and protocols are used to negotiate which cipher algorithm is used for the FTP session.
The system SSL has multiple cipher algorithms, which
provide both encryption and data authentication (i.e. data integrity).
Encryption scrambles the data so it is transferred confidentially and cannot be interpreted without a
special key. Data authentication algorithms ensure the data was not modified during transfer.
Some of the supplied cipher algorithms provide only data
authentication, and some provide both encryption and authentication. You can customize which cipher
algorithms should be used by FTP. However, be aware that the actual cipher algorithm used for the session
is determined after a negotiation between the server and client. For example, if you configure an FTP server
to use the "Triple DES encryption, SHA authentication" algorithm, but the client does not support that
algorithm, it will not be used.
For Kerberos, the system Kerberos (Network Authentication Service) provides the encryption and
integrity algorithms. You can request data to be enciphered for integrity protection, or for both privacy and integrity
protection. However, the algorithms used by Kerberos cannot be customized or negotiated.
The data connection security level is available both when configuring a client and a server.
Selections when configuring an FTP Server
- NEVER
- Indicates the server requires data to be transferred raw with no cipher algorithm applied to the data.
Clients attempting to use ciphers are rejected.
- CLEAR
- Indicates the client decides whether data will be transferred raw or enciphered.
For TLS, the client decides whether data will be enciphered or not. If it indicates it should be enciphered,
the cipher algorithm is chosen using TLS protocols.
For Kerberos, the client can specify whether data will be transferred raw, integrity protected only, or both
integrity and privacy protected.
- PRIVATE
- Indicates the server requires data to be transferred enciphered.
Clients attempting to send raw data are rejected.
For TLS, the cipher algorithm is chosen using TLS protocols.
For Kerberos, the data must be transferred using both integrity and privacy protection. Clients attempting to send
data that is only integrity protected are rejected.
- SAFE
- For TLS, selecting this option is identical to the PRIVATE selection.
For Kerberos, the data must be transferred using integrity protection only, or using both integrity and privacy protection.
Clients attempting to send raw data are rejected.
Selections when configuring an FTP Client
Before you begin you should understand the level of security for data connections is determined by both the
configuration settings on this page and by commands an FTP user may issue during an FTP session. The following commands
can be issued by the user:
- clear
- resets the security level so that data is transferred raw.
- private
- resets the security level so that data is transferred enciphered. If the client is using the
Kerberos security mechanism, the data is transferred both integrity protected and privacy protected. If the client
is using the TLS security mechanism, the cipher algorithm is chosen using the TLS protocol negotiation.
- safe
- resets the security level so that data is transferred integrity protected only. This command is
applicable only to sessions using the Kerberos security mechanism.
- NEVER
- Indicates the client requires data to be transferred raw with no cipher algorithm applied to the data.
- CLEAR
- Indicates the data can be transferred raw or enciphered.
By default, data is transferred raw. However the
user can issue the private command during the FTP
session to change the data connection security level so data is transferred enciphered.
The user can also
issue the clear command to reset the data connection security level back, so data is transferred raw again.
For TLS, if the private command is issued, the cipher algorithm is chosen using TLS protocols.
For Kerberos, if the private command is issued, data is transferred both integrity and privacy protected.
In addition to the private and clear commands, the user
can issue the safe command to change the data connection security level so data is transferred integrity
protected only.
- PRIVATE
- Indicates the client requires data to be transferred enciphered.
For TLS, the cipher algorithm is chosen using TLS protocols.
For Kerberos, data is transferred both integrity and privacy protected.
- SAFE
- For TLS, selecting this option is identical to the PRIVATE selection.
For Kerberos, indicates the data can be transferred integrity protected only, or both integrity and privacy protected.
By default, data is transferred integrity protected only.
However, the user can issue the private command during the FTP
session to change the data connection security level so data is transferred both integrity and
privacy protected. The user can also issue the
safe command to reset the data connection security level back, so data is transferred integrity protected only.