SFTP and SSH
SFTP is a network protocol for transferring files securely over a computer network. Its full name is the SSH File Transfer Protocol, and as it implies, SFTP is a set of commands that runs over another protocol known as SSH, or Secure Shell.
SSH is what provides SFTP with its security, and so to understand how secure SFTP is, it is necessary to examine how SSH works. SSH uses a layered architecture, and consists of a transport layer, a user authentication layer, and a connection layer. In terms of security, the transport layer runs over TCP/IP, and provides encryption, server authentication and data integrity protection, while the user authentication layer handles client authentication.
Server authentication ensures that clients know they are connecting to the server they are expecting to connect to, while client authentication ensures that servers only permit clients that are authorized to connect. Encryption protects data from eavesdroppers while in transit over the network, while data integrity checks ensure that the transferred data has not been tampered with.
The key factors involved in security strength are the encryption methods used to protect the data being transferred, and the data integrity algorithms. It is important to realize that these are not fixed: they are negotiated between client and server. The specific options that must be agreed are the ciphers used for encryption, the MAC algorithms used for data integrity, the key exchange methods used to set up one-time session keys for encryption (key distribution), and the public key algorithms that are used for authentication. The overall strength of a particular SSH/SFTP connection will depend on which settings are negotiated for each of these options.
This means that server administrators need to choose the range of available settings for each option carefully. If they are too restrictive, some clients may not be able to connect, as they may not share ciphers or MACs in common with the server. But if they are too lax, this will permit weak connections to the server.
For ciphers, all RC4 ciphers should be disabled, as well as most DES ciphers. Triple DES (DES3) is still acceptable but should be disabled if possible. Ideally the only ciphers enabled should be AES ciphers, from 128 bit to 256 bit.
For MACs, which ensure data integrity, any based on MD5 such as hmac-md5 should be disabled. Only SHA should be used, and preferably not SHA1 (e.g. hmac-sha1). Instead, hmac-sha2-256 and hmac-sha2-512 should be enabled if possible.
The best key exchange method to use is diffie-hellman-group-exchange-sha256. If required by clients, diffie-hellman-group14-sha1 can be used but it should be disabled if possible.
In terms of key strength, RSA keys should be preferred over DSA, and ideally RSA keys should be a minimum of 2048 bits.