RFC 2228 (rfc2228) - Page 2 of 27
FTP Security Extensions
Alternative Format: Original Text Document
RFC 2228 FTP Security Extensions October 1997
1. Introduction
The File Transfer Protocol (FTP) currently defined in STD 9, RFC 959
and in place on the Internet uses usernames and passwords passed in
cleartext to authenticate clients to servers (via the USER and PASS
commands). Except for services such as "anonymous" FTP archives,
this represents a security risk whereby passwords can be stolen
through monitoring of local and wide-area networks. This either aids
potential attackers through password exposure and/or limits
accessibility of files by FTP servers who cannot or will not accept
the inherent security risks.
Aside from the problem of authenticating users in a secure manner,
there is also the problem of authenticating servers, protecting
sensitive data and/or verifying its integrity. An attacker may be
able to access valuable or sensitive data merely by monitoring a
network, or through active means may be able to delete or modify the
data being transferred so as to corrupt its integrity. An active
attacker may also initiate spurious file transfers to and from a site
of the attacker's choice, and may invoke other commands on the
server. FTP does not currently have any provision for the encryption
or verification of the authenticity of commands, replies, or
transferred data. Note that these security services have value even
to anonymous file access.
Current practice for sending files securely is generally either:
1. via FTP of files pre-encrypted under keys which are manually
distributed,
2. via electronic mail containing an encoding of a file encrypted
under keys which are manually distributed,
3. via a PEM message, or
4. via the rcp command enhanced to use Kerberos.
None of these means could be considered even a de facto standard, and
none are truly interactive. A need exists to securely transfer files
using FTP in a secure manner which is supported within the FTP
protocol in a consistent manner and which takes advantage of existing
security infrastructure and technology. Extensions are necessary to
the FTP specification if these security services are to be introduced
into the protocol in an interoperable way.
Horowitz & Lunt Standards Track