2
votes

in FTPS the password is encrypted when it tries to connect the server over internet. This is what i understood, pl correct if my understanding has any missing points. My question is when i tired to simulate it ( FTPs and FTP) I am just getting a message which says SSL is established ( and port change based on implicit and explicit invocation).

Is there any way other to confirm the password is really encrypted, or we can see the password when its plain FTP. Below is the log which i am seeing in server side

Server Logs when FTPs enabled -

Status: TLS/SSL connection established, waiting for welcome message...

Command: USER ftp

Command: PASS **

Server Logs when FTP enabled -

Status: Connection established, waiting for welcome message...

Command: USER ftp

Command: PASS **

1

1 Answers

2
votes

FTPS is essentially FTP protocol with an added layer of TLS/SSL security. Your understanding that the password is encrypted during communication between client and server is absolutely correct.

You see the same logs with just a small difference in the first line because you have access to the server and have a complete log. The reason FTPS was brought into existence is because it disallows all the third parties to snoop on our user credentials. With FTP , this is quite possible.

Lets try and understand the part about Explicit FTPS.

The server lets you connect using and unencrypted FTP connection. Prior to sending user 
credentials, the client then requests that the server switch the command channel to an 
SSL encrypted channel using the client AUTH TLS or AUTH SSL commands.  Upon successful 
setup of the SSL channel the client then sends user credentials to the FTP server.  These 
credentials along with any other commands sent to server during the FTP session are 
automatically encrypted by the SSL channel.

According to Wikipedia, here is the description for the channels.

  • Secure command channel

The secure command channel mode can be entered through the issue of either the AUTH TLS or AUTH SSL commands. After such time, all command control between the FTPS client and server are assumed to be encrypted. It is generally advised to enter such a state prior to user authentication and authorization in order to avoid the eavesdropping of user name and password data by third parties.

  • Secure data channel

The secure data channel can be entered through the issue of the PROT command. It is not enabled by default when the AUTH TLS command is issued. After such time, all data channel communication between the FTPS client and server is assumed to be encrypted. The FTPS client may exit the secure data channel mode at any time by issuing a CDC (clear data channel) command.

References: