At the very high stage, the File Transfer Protocol, FTP security extensions try to offer an abstract method for authorizing connections, and privacy protecting instructions, replies, and data transfers.

In the view of FTP security, validation is the basis of a client’s/server’s identity in a secure system, usually using cryptographic actions. The basic File Transfer Protocol does not have a assumption of validation.

Without the security extensions, validation of the client, as this phrase is usually understood, never happens. File Transfer Protocol, FTP authorization is accomplished with a password passed on the network in the clear as the argument to the PASS command. As the user named in the USER command, the owner of this password is believed to be authoritative to transfer files, but the identity of the user is never securely recognized.

A FTP security communication begins with a client telling the server what security system it wants to use. The server will either deny this system, accept this system, or in the case of a server which does not put into action the security extensions, reject the command fully.

The client may try multiple security systems until it requests one which the server accepts. This allows a simple form of arbitration to take place. The server’s response will specify if the client needs to respond with additional data for the security system to understand. If nothing is needed, that means system is one, where the provided password is to be interpreted in a different way, with a token or one-time password system.

If the server requests additional security information, then the client and server will enter into a secured data exchange. An ADAT command containing the first block of security data will be send by the client. The server’s respond will specify if the data exchange is complete, if there was an error, or if more data is needed.

The server’s respond can optionally contain security data for the client to understand. If more data is needed, the client will send another ADAT command containing the next block of data, and await the server’s response. This can continue as many times as needed. Once this exchange finishes, the server and client have established a security association. This association may include confirmation and keying information for privacy, depending on the system in use.