Configuring SFTP cipher/mac algorithms for EFT Server outbound connections in the registry

THE INFORMATION IN THIS ARTICLE APPLIES TO:

• EFT Server Enterprise v6.3 and later

DISCUSSION

EFT Server currently does not provide the ability to configure the SFTP cipher/mac algorithms for outbound connections in the administration interface. The Site level SFTP configuration for the inbound protocols in the interface does not affect the outbound settings. The ability to configure algorithms for outbound connections is available via registry settings to enable/disable the various ciphers and macs.

The SFTP registry keys are automatically created by the ClientFTP.dll. The ClientFTP.dll writes to the registry when it finishes a transfer; therefore you should edit the settings when there are no transfers occurring so that it loads your custom settings, and then it will save your custom settings back to the registry when it finishes the transfer. (Once ClientFTP.dll writes your custom settings to the registry, it will continue to use those settings.) You may have to run an initial outbound transfer after a clean install before the keys are created, or you can create them manually. (Again, do this when there is no outbound activity to avoid overwriting your changes.)

The registry settings reside under:

• 32-bit Windows: HKLM\SOFTWARE\GlobalSCAPE\TED 6\Settings\SecuritySFTP2\
• 64-bit Windows: HKLM\SOFTWARE\Wow6432Node\GlobalSCAPE\TED 6\Settings\SecuritySFTP2\

The following registry values enable and disable the Cipher and MAC algorithms. They are REG_DWORD values and all default to “1” (enabled). To disable a given cipher or mac algorithm, set its value to “0”.

• Cipher algorithm values:
  • SFTP2_AES128
  • SFTP2_AES256
  • SFTP2_TripleDES
  • SFTP2_ARCFOUR
  • SFTP2_CAST128
  • SFTP2_Twofish
  • SFTP2_Blowfish
  • SFTP2_TWOFISH256
  • SFTP2_TWOFISH128
  • SFTP2_AES128CTR (applies only to v6.4.13 - v6.4.x)
  • SFTP2_AES256CTR (applies only to v6.4.13 - v6.4.x)
• MAC algorithm values:
  • SFTP2_SHA1_96
  • SFTP2_SHA1
  • SFTP2_MD5
  • SFTP2_MD5_96

In EFT Server 6.3.16 the default order of preference is:

• Cipher algorithm values:
  • SFTP2_TripleDES
  • SFTP2_ARCFOUR
  • SFTP2_CAST128
  • SFTP2_Twofish
  • SFTP2_Blowfish
  • SFTP2_AES256
  • SFTP2_TWOFISH256
  • SFTP2_AES125
  • SFTP2_TWOFISH128
• MAC algorithm values:
  • SFTP2_SHA1_96
  • SFTP2_SHA1
  • SFTP2_MD5
  • SFTP2_MD5_96

In EFT Server v6.3.16 and v6.4.1, the order of algorithm preference may be customized using the registry keys “SFTP2_CipherAlgs” and “SFTP2_MACAlgs”. These are REG_BINARY entries that consist of a list of the algorithm names in order of preference. The list uses the “display names” for the algorithms, from the following:

• Cipher algorithm display names:
  • TripleDES
  • ARCFOUR
  • CAST128
  • Twofish
  • Blowfish
  • AES256
  • Twofish128
  • AES128
  • Twofish256.
• MAC algorithm display names:
  • MD5
  • SHA1
  • SHA1-96
  • MD5-96

In EFT Server v6.4.13 - v6.4.x, the default order of preference is:

• Cipher algorithm values:
  • SFTP2_AES128
  • SFTP2_AES256
  • SFTP2_TripleDES
  • SFTP2_ARCFOUR
  • SFTP2_CAST128
  • SFTP2_Twofish
  • SFTP2_Blowfish
  • SFTP2_TWOFISH256
  • SFTP2_TWOFISH128
  • SFTP2_AES128CTR (applies only to v6.4.13 - v6.4.x)
  • SFTP2_AES256CTR (applies only to v6.4.13 - v6.4.x)
• MAC algorithm values:
  • SFTP2_SHA1_96
  • SFTP2_SHA1
  • SFTP2_MD5
  • SFTP2_MD5_96

The following snippet from the ClientFTP log file shows the output when only SFTP2_TWOFISH128 and SFTP2_MD5_96 are enabled:

STATUS:> Host key match found in certificate database -- accepted.

STATUS:> First key exchange completed

Negotiated algorithms:

kex alg: diffie-hellman-group14-sha1

host key alg: ssh-rsa

c2s encr alg: twofish128-cbc

s2c encr alg: twofish128-cbc

c2s mac alg: hmac-md5-96

s2c mac alg: hmac-md5-96