Optimal Configuration and Encryption
Globalscape’s Enhanced File Transfer (EFT) platform offers many security options for your SSL connections and SFTP connections. Choosing the right combination of protocol versions, key ciphers, MACs, and key exchange algorithms can be challenging. We’ve put together some tested* recommendations to help guide you in this process.
BEST PRACTICE #1
Use the recommendations below for SSL/TLS communications, which cover the FTPS and HTTPS protocols. These can be used as a starting point, and you can always add (or remove) options based on your unique needs or the needs of your business partners.
Protocol Suite | Ideal | Acceptable | Avoid |
TLS 1.3 | TLS 1.1, TLS 1.2 | TLS 1.0, SSLv3 | |
Encryption Cipher | AESGCM(256) AES(256) | All 128 bit ciphers | All others 3DES (unless required) |
Message Authentication Code | AEAD SHA384 SHA256 | SHA1 (susceptible to collisions) | MD5 |
Key Exchange | ECDH ECDH/RSA ECDH/ECDSA RSA | All others | |
Authentication cipher | ECDSA ECDH RSA | DH DSS | “None” |
*The above configurations were confirmed and tested using SSL Labs, which rated them grade “A” in terms of both security and performance. Updated on 9/10/21
Other recommendations:
- Cipher suite 1.2 or above is recommended.
- Don’t use export ciphers unless that is necessary.
- When creating an SSL certificate, choose a 2048 bit key or higher.
- Ensure that your certificate used strong signature algorithms such as SHA256. Do not use SHA1, which is considered insecure.
- Ideally have your key signed by a reliable Certificate Authority (CA).
BEST PRACTICE #2
Use the following for SSH communications, which covers the SFTP protocol:
Each in priority order | |||
Ideal | Acceptable | Avoid | |
Allowed ciphers | All 256 bit ciphers | All 128 bit ciphers | All others |
Allowed MACs | 256 and 512 bit MACs | All 128 or 96 bit MACs | All others |
Allowed KEXs | 256 and 512 bit KEXs | All 128 bit KEXs | All others |
With SSH, the receiving server usually dictates which algorithms are accepted. Newer clients such as CuteFTP 9 support strong algorithms, helping to ensure higher data security.
Other recommendations:
- When creating an SSH key, choose a 2048 bit key or higher.
- When creating an SSH key, choose OpenSSH format for greatest compatibility.
With these security options in place, you should be at a good starting point for ensuring both high security and broad compatibility. You can always “dial up” or “dial down” the security levels to either increase security or accommodate more business partner communications.
Reminder: Your security efforts will be most effective if you use the latest version of EFT. Periodically check the Globalscape support site for the latest version and upgrade accordingly. Learn more.
Related Resource: The difference between SSH protocol version vs. SFTP protocol version vs. SSH implementation version