2

I am helping design an application that would need to transfer and store files securely on a server. The application is to be written in C#, but the server is Linux based. What protocol should I use for transferring and storing these files, up to 2 GB in size?

I have read a little a out sftp and ssh. Would these be any good?

Sakamoto Kazuma
  • 2,573
  • 7
  • 34
  • 75

1 Answers1

2

If you're going to have BIG files that you want to transfer easily and securely with .NET with a minimum of components, you generally will want to go with FTPES, also known as FTP through Explicit SSL, and sometimes known as "FTPS" or "FTP-ES". That is the only version that's supported with a pure .NET approach with no third-party plugins needed.

With SFTP, or FTP over SSH, you'll have to deal with exchanging keys manually between you and your clients, unlike FTPES. You'll also need a third-party library to make it happen, since .NET doesn't have built-in functionality for SFTP.

If you want to write a client to use FTPES, all you will have to do is use FtpWebRequest and set EnableSSL to true.

What to avoid:

  • Don't use FTP through Implicit SSL. It's been deprecated for many years at this point and should be considered obsolete.

  • Don't just PGP-encrypt the files and then transfer them over plain old FTP. With plain old FTP, all user names and passwords are sent in clear text, which will easily allow an attacker to at least intercept your PGP encrypted files.

Community
  • 1
  • 1
Dave Markle
  • 95,573
  • 20
  • 147
  • 170
  • SSL and SSH support comparable key lengths so in overall SSL is more secure due to hierarchical PKI. – Eugene Mayevski 'Callback Dec 09 '12 at 18:45
  • @EugeneMayevski'EldoSCorp: I was under the impression that while that was true for certificates' keys, SSH2 generally uses a 256-bit session key as opposed to SSL's 128-bit session key. Am I wrong? – Dave Markle Dec 09 '12 at 19:11
  • 1
    TLS 1.1 and 1.2 lets you use AES and Camellia cipher suites with 256-bit keys. Also, for SSH 256-bit session keys are rather recent as well. Technically there's nothing in either of those protocol systems which would make one of them to be less cryptographically secure than another one (of course, security holes are possible in either as well :). Due to this non-technical aspects such as ease of key management and presence of revocation mechanisms become key factors to security. – Eugene Mayevski 'Callback Dec 09 '12 at 19:34