I think you have a few misconceptions.
First, packets are sometimes "destroyed" or dropped in the normal functioning of any
tcp/ip based network. That is why TCP numbers all of the packets it sends and
automatically retransmits ones not acknowledged (conceptually similar to EDI 997s).
FTP, adds another level of data corruption checking.
Because information sent using standard FTP is not encrypted, including your user ID
and password, it is possible for someone to see this information if they can gain
access to a system along the actual path that your data takes. (not easy). Also, if
they get your user ID and password they can spoof a transmission from you and send
bogus data.
SSL solves these problems using encryption algorithms RSA public key encryption for
authentication and DES (or some other symmetric key encryption algorithm) to encrypt
your data.
The strength of these encryption mechanisms depends to a large extent on key length
used. I believe, RSA encryption with a key of 1024 bits is currently considered not
crackable. Shorter key lengths may be crackable but only with great effort. A newer
algorithm called elliptical curve can also serve a similar function but has not had
time to be as well evaluated.
DES usually uses 56 bit keys. This was considered uncrackable up until a few years
ago. Now it can be cracked, but only with great effort. Triple-DES is being used as
a replacement. (Triple DES has an effective key length of 112.) I believe it is
currently not crackable. There are other algorithms that can be used instead of
Triple-DES but, I believe, their security has been less well established.
Of course the effectiveness of these algorithms can be compromised if they are not
carefully implemented. (As has been recently demonstrated by problems with Internet
Explorer, and Navigator.) But, even when the implementation is less than perfect and
short keys are used these algorithms provide a vastly more secure mechanism for
transporting files then plane FTP.
I hope this helps some.
Jay Rosansky
ACS-GSG
> -----Original Message-----
> From: [EMAIL PROTECTED]%internet
> [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 14, 2000 5:16 PM
> To: [EMAIL PROTECTED]%internet
> Subject: Secure FTP using SSL
>
>
> Until just about two weeks ago, I didn't even know that there
> was an effort
> underway to create secure FTP using SSL... I'll call it
> FTP/s....at least that
> is what one of the vendors referred to it as.
>
> I have come across two vendors that are doing FTP/s so far:
> Sterling "a
> product call Enterprise Server?? It is a combination of
> Connect:Mailbox,
> Connect:Direct and an Internet piece which will do FTP/s,
> S/MIME, etc" and
> bTrade. There may be more on this list that would like to
> talk about the
> subject.
>
> I have two questions. One.. What I have heard about SSL
> makes me believe that
> the security is not very strong. Does anyone have any other
> comments? Second,
> what are the reasons that make FTP with SSL a preferred
> method for some? I
> believe SSL was establish to securely link two computer
> sessions together. I
> believe that means that someone cannot see what the contents
> are nor can they
> destroy the packets going back and forth...unless the
> security is breached? One
> of the problems with regular FTP is that someone can capture
> and/or destroy one
> or all packets. If the packets are encrypted they can't read
> them easily, but
> they could destroy them. Is FTP/s an attempt to eliminate this?
>
> Secondly... How standard is FTP/s. How many people are doing
> it today or are
> planning on doing it?
>
> Thanks
> Jonathan
>
>
>
> |--------+----------------------->
> | | Dave Taylor |
> | | <sysmark@ATT.|
> | | NET> |
> | | |
> | | 06/14/2000 |
> | | 12:53 PM |
> | | Please |
> | | respond to |
> | | sysmark |
> | | |
> |--------+----------------------->
>
> >-------------------------------------------------------------
> ---------------|
> |
> |
> | To: [EMAIL PROTECTED]
> |
> | cc: (bcc: Jonathan Showalter/MutualOMA)
> |
> | Subject: Re: What would you use an FTP SP for?
> was RE: List of |
> | FTP Service Pro viders &Thank You
> |
>
> >-------------------------------------------------------------
> ---------------|
>
>
>
>
>
>
> FTP is one of the most reliable internet protocols for
> transferring files from one compute to another.
>
> Secure FTP is one of the few internet protocols
> available for encrypting those file so that they can not
> be read by anyone other than the intended recipient.
>
> We are looking for a Secure FTP client that can run with
> SSL encryption to enable our customers to use VAN
> services that offer Secure FTP using SSL as an internet
> protocol.
>
> We have found only two sources: bTrade and Valicert.
>
> The single-uer bTrade client running on W95 or W98 is
> reasonably priced. The bTrade client running on NT
> Server assumes is not priced by the User, so it's price
> is not so attractive.
>
> Valicert is not eager to sell its Secure FTP client
> separately from its FTP Server.
>
> It is not practical to have to run a different FTP
> client for each FTP server that one has to connect with.
>
> Any suggestions?
>
> ==============================================================
> =========
> To signoff the EDI-L list, mailto:[EMAIL PROTECTED]
> To subscribe,
> mailto:[EMAIL PROTECTED]
> To contact the list owner: mailto:[EMAIL PROTECTED]
> Archives at http://www.mail-archive.com/edi-l%40listserv.ucop.edu/
>
>
=======================================================================
To signoff the EDI-L list, mailto:[EMAIL PROTECTED]
To subscribe, mailto:[EMAIL PROTECTED]
To contact the list owner: mailto:[EMAIL PROTECTED]
Archives at http://www.mail-archive.com/edi-l%40listserv.ucop.edu/
