How SFTP Works

A tenant can connect as SFTP client to an SFTP server (the latter either hosted at SAP or in the
customer landscape).

In a scenario using SFTP, an SFTP client connects to an SFTP server in order to perform one of
the following tasks:
 SFTP client writes (pushes) a file to a file directory on an SFTP server.
 SFTP client reads (pulls) data from the SFTP server.

Typically the SFTP client periodically reads files from the SFTP server.

Depending on the direction of data flow (whether the tenant reads data from the SFTP server
or writes data to it), either an SFTP sender adapter or SFTP receiver adapter is involved.

Files are stored on the SFTP server in specific directories referred to as mailboxes. For each
mailbox, a user is specified in order to control access to the data.

In certain cases, you have the option to choose between the following authentication options
for SFTP connectivity in the SFTP (sender or receiver) adapter:

 User Name/Password

 Public Key
User Name/Password Authentication

The tenant connects to the server with a user and authenticates itself against the SFTP server
with a password.

The user credentials (user name and password) are stored in a User Credentials artifact which
has been deployed on the tenant prior to connection set up.
Public Key Authentication

In order to set up secure connection between the SFTP client and SFTP server, a combination of
symmetric and asymmetric keys is applied.
 Symmetric (session) keys are used in order to encrypt and decrypt data within a data
transfer session.
 Asymmetric key pairs (on client and server side) are used in order to encrypt and
decrypt the session keys.

Symmetric and asymmetric keys are used by a client and a server exchanging data via SFTP in
the following way:
1. The client connects to the server.
2. The server sends his public key to the client.
3. The client checks if the server is a trusted participant by evaluating a known_hosts file at
client's side: if the server's public key is listed there-in, the identity of the server is
confirmed.
4. The client generates a session key (to be used for one data transfer session).
5. The client encrypts the session key with the public key of the server.
6. The client sends the encrypted session key to the server. As public and private key of
one party are mathematical correlated with each other, the server can decrypt the
session key using its private key.
7. The session can now be continued in an encrypted way.
8. As part of the secure data transfer (using the session key exchanged by the step before),
the client sends its public key to the server.
9. The server checks if the public key of the client is known to him (evaluating an
authorized_keys file on the server side).
10. The server encrypts a random number with the client's public key and sends it to the
client.
11. The client decrypts the random number with its private key and sends the unencrypted
random number back to the server. That way, the client authenticates itself on server
side.

SFTP:
FTP is an old protocol that isn’t designed for secure data transfer and is very vulnerable to
attacks. For that reason other, “safe” versions of the protocol are eventually created, along
with new protocols. One of them is the SFTP (SSH File Transfer Protocol or Secret File
Transfer Protocol) that is used for file transfer and management instead of the FTP. SFTP is
not an enhanced, “secure” version of the FTP, it’s rather a new protocol that has similar
functions for the transfer of files.
The SFTP uses SSH to safely transmit files over a network. In contrast to the FTP, this
protocol encrypts all the transmitted data, passwords and commands. Disadvantage of the
SFTP is that it’s not supported by all FTP clients, so you need a client that supports both FTP
and SFTP. SFTP was created more as an extension of the SSH-2protocol that enables the
transfer of files over SSH and other protocols like the TLS. SFTP is also widely supported by
most platforms. The SFTPs connection is always secured, but requires a secure underlying
protocol, usually SSH.
Symmetric vs. Asymmetric Encryption – What are differences?

Information security has grown to be a colossal factor, especially with modern communication
networks, leaving loopholes that could be leveraged to devastating effects. This article presents
a discussion on two popular encryption schemes that can be used to tighten communication
security in Symmetric and Asymmetric Encryption. In principle, the best way to commence this
discussion is to start from the basics first. Thus, we look at the definitions of algorithms and key
cryptographic concepts and then dive into the core part of the discussion where we present a
comparison of the two techniques.

Algorithms

An algorithm is basically a procedure or a formula for solving a data snooping problem. An

encryption algorithm is a set of mathematical procedure for performing encryption on data.
Through the use of such an algorithm, information is made in the cipher text and requires the
use of a key to transforming the data into its original form. This brings us to the concept of
cryptography that has long been used in information security in communication systems.
Cryptography

Cryptography is a method of using advanced mathematical principles in storing and

transmitting data in a particular form so that only those whom it is intended can read and
process it. Encryption is a key concept in cryptography – It is a process whereby a message is
encoded in a format that cannot be read or understood by an eavesdropper. The technique is
old and was first used by Caesar to encrypt his messages using Caesar cipher. A plain text from
a user can be encrypted to a ciphertext, then send through a communication channel and no
eavesdropper can interfere with the plain text. When it reaches the receiver end, the ciphertext
is decrypted to the original plain text.
Cryptography Terms

 Encryption: It is the process of locking up information using cryptography. Information

that has been locked this way is encrypted.
 Decryption: The process of unlocking the encrypted information using cryptographic
techniques.
 Key: A secret like a password used to encrypt and decrypt information. There are a few
different types of keys used in cryptography.
 Steganography: It is actually the science of hiding information from people who would
snoop on you. The difference between steganography and encryption is that the would-be
snoopers may not be able to tell there’s any hidden information in the first place.
Symmetrical Encryption
This is the simplest kind of encryption that involves only one secret key to cipher and decipher
information. Symmetrical encryption is an old and best-known technique. It uses a secret key
that can either be a number, a word or a string of random letters. It is a blended with the plain
text of a message to change the content in a particular way. The sender and the recipient
should know the secret key that is used to encrypt and decrypt all the messages. Blowfish, AES,
RC4, DES, RC5, and RC6 are examples of symmetric encryption. The most widely used
symmetric algorithm is AES-128, AES-192, and AES-256.

The main disadvantage of the symmetric key encryption is that all parties involved have to
exchange the key used to encrypt the data before they can decrypt it.

Asymmetrical Encryption
Asymmetrical encryption is also known as public key cryptography, which is a relatively new
method, compared to symmetric encryption. Asymmetric encryption uses two keys to encrypt a
plain text. Secret keys are exchanged over the Internet or a large network. It ensures that
malicious persons do not misuse the keys. It is important to note that anyone with a secret key
can decrypt the message and this is why asymmetrical encryption uses two related keys to
boosting security. A public key is made freely available to anyone who might want to send you a
message. The second private key is kept a secret so that you can only know.
A message that is encrypted using a public key can only be decrypted using a private key, while
also, a message encrypted using a private key can be decrypted using a public key. Security of
the public key is not required because it is publicly available and can be passed over the
internet. Asymmetric key has a far better power in ensuring the security of information
transmitted during communication.

Asymmetric encryption is mostly used in day-to-day communication channels, especially over

the Internet. Popular asymmetric key encryption algorithm includes EIGamal, RSA, DSA, Elliptic
curve techniques, PKCS.
Asymmetric Encryption in Digital Certificates

To use asymmetric encryption, there must be a way of discovering public keys. One typical
technique is using digital certificates in a client-server model of communication. A certificate is
a package of information that identifies a user and a server. It contains information such as an
organization’s name, the organization that issued the certificate, the users’ email address and
country, and users public key.
When a server and a client require a secure encrypted communication, they send a query over
the network to the other party, which sends back a copy of the certificate. The other party’s
public key can be extracted from the certificate. A certificate can also be used to uniquely
identify the holder.

SSL/TLS uses both asymmetric and symmetric encryption, quickly look at digitally signed
certificates issued by trusted certificate authorities (CAs).