When using the File Transfer Service, file-channel files are always transferred over an encrypted session.
The session is encrypted as follows:
The client and server create an AES-256 session key using the Diffie-Hellman key exchange protocol (using the OpenSSL library). After the key is created, all file transfers between the client and the server will take place over a secure and encrypted communication channel.
However, even though the session is encrypted, communication between the client and the server may still be susceptible to man-in-the-middle attacks. A man-in-the-middle in possession of the session key would be able to intercept any data transferred between the client and the server.
To eliminate man-in-the-middle attacks, a "shared password" needs to be provided when configuring the local and remote file channel endpoints. Once the session is established, both the client and the server use the shared password to re-key the session key during the next packet exchange, thereby preventing the original session key from being used for man-in-the-middle attacks.
To sum up:
- Strong encryption is used regardless of whether a password was provided.
- Providing a password eliminates the risk of a man-in-the-middle attack.
For more information about the File Transfer Service, see File Transfer Service.