When sending data between systems, users and businesses should be cautious preserving data confidentiality and integrity, especially if this data is determined as sensitive or personal. The use of tools or protocols that fail to preserve an appropriate level of security may expose this data to eavesdroppers, leading to a violation of privacy and security regulations. Performing data transactions through Secure Copy Protocol (SCP) is one of the methods which is built for the secure transfer of digital information.
What is SCP protocol?
Secure Copy Protocol (SCP) is a method based on (Secure Shell) SSH for safely transferring computer files between a local host and a remote host, or between two remote hosts. The protocol is a "secure" implementation of the RCP (Remote Copy Protocol)—a protocol for transferring files across a network.
The RCP is used to transfer the files, and the SSH protocol provides authentication and encryption, so SCP can be considered a mixture of these two protocols. The data that is being transferred remains confidential, so the SCP can be used to successfully block packet sniffers that can extract valuable information from the data packets. The SCP can also benefit from using SSH because it allows the inclusion of permissions and timestamps for the file that needs to be uploaded.
SCP works on top of the SSH protocol and supports an authentication mechanism to provide authenticity and confidentiality for transferred files, just like SSH provides the same thing for the older and insecure Telnet protocol. As the SCP protocol provides an authentication procedure between the two hosts and encryption for the transfer, it can ensure the security and the authenticity of the transferred data.
Whenever users transfer files between a server and client (or vice versa) via these apps, those are implemented via the SCP protocol, unless users have chosen to use the SFTP protocol as the default mode for data transfers. With SCP, you can transfer files quickly by using the command line. This method often is faster and simpler than utilizing a client with graphical interface. What is more, the command-line feature can also be used for automating batch files and scripts transfers.
Since its first release back in 1983, SCP has been used as a standalone app under the same name but has also been embedded inside other apps. For example, SCP is the standard file transfer method for OpenSSH, Putty, and WinSCP. Since the SCP protocol is cross-platform, there are versions and programs for all operating systems—Windows, macOS, Linux, Android, and iOS.
How does SCP protocol work?
Secure Copy needs authentication from involved hosts. In addition, you should set up an SSH connection between the local host and the targeted remote host before performing the transfer via the protocol. For that, you are required to enter the authorized key for the public key authentication.
After building up the SSH connection between the two hosts, the SCP client will begin a secure copy process with two different available modes—source mode and sink mode. SCP clients often utilize the -f flag (from) to trigger source mode. If you want to trigger sink mode to transfer data to the targeted remote host, you need to use -t flag (to).
- Source mode: An SCP request in the source mode reads files from the targeted distant host and sends them back to the client.
- Sink mode: If the sink mode is used via the SCP protocol on the client, it will send signals to the remote host indicating that there is input data to be written to the remote host.
Typically, a syntax of SCP program is like the syntax of cp (copy). If you wish to copy a local file to a remote host, then you should type in the following command:
scp LocalSourceFile user@remotehost:directory/TargetFile
If you would like to copy a file from remote host or copy a folder from remote host (with -r switch), the following commands apply respectively:
scp user@remotehost:directory/SourceFile LocalTargetFile
scp -r user@host:directory/SourceFolder LocalTargetFolder
Security of SCP Protocol
Although SCP is generally considered a secure option for transferring files between remote hosts, Harry Sintonen, a security researcher with Finnish cyber-security firm F-Secure, discovered in January 2019 that the protocol is vulnerable. The researcher found that all SCP implementations since 1983 are vulnerable to four security bugs that allow a malicious SCP server to make unauthorized changes to a client's (user's) system and hide malicious operations in the terminal. When copying files from remote systems to a local directory, SCP was not verifying the filenames of what was being sent from the server to client.
Since then, patches were issued by all vendors that support the SCP protocol, but OpenSSH went one step further, with the release of OpenSSH 8.0. In April 2019, the developers noted that “The SCP protocol is outdated, inflexible and not readily fixed. We recommend the use of more modern protocols like SFTP and RSYNC for file transfer instead.”
Besides patching these vulnerabilities, the security of associated SSH keys is also paramount since the SCP protocol relies on SSH. Businesses and individuals should take extra precaution protecting these keys and rotate them on a frequent basis. The Venafi SSH Protect platform helps organizations safeguard host-to-host connections by discovering, protecting and automating the lifecycle of SSH machine identities.