Upgrading Ciphers for SFTP Transfer to DailyPay
Starting 1/31/25, outdated ciphers will no longer be supported when connecting with the DailyPay’s SFTP server (connect.dailypay.com).
This article is available to help you understand how ciphers work, identify your current ciphers, upgrade to the supported suite of ciphers, and escalate any issues for additional assistance. If you have not received any communication from the DailyPay team about this change, you are already on an up-to-date cipher.
Failure to upgrade the ciphers for your connection may result in interrupted service with DailyPay after 1/31/25.
Please review this document to make any necessary changes to your connection. Our team is available to help with any questions throughout this process and you can contact us at client.support@dailypay.com for additional follow up.
What are ciphers and why is upgrading required?
Ciphers refer to the encryption technology that is used under the hood for encrypting data as it is in transit to and from DailyPay’s server. These ciphers are used for all inbound connections to DailyPay’s server: HTTPS, FTPS, and SFTP.
At DailyPay, it is our top priority that your business-critical payment data for employers, merchants, and financial institutions is reliable and secure. For this reason, we are requiring all connections to be updated to the most secure, modern ciphers.
While this new requirement will be for all inbound connections, to date we have only seen outdated ciphers used when users or systems are using SFTP to connect with the DailyPay server.
Upgrading your ciphers
If you have not received any communication from the DailyPay team about this change, you are already on an up-to-date cipher. If you are required to update your ciphers, the steps to correct will depend on how you are connecting with the DailyPay server.
Reminder, if your organization uses multiple systems on the same set of credentials when connecting with DailyPay, it is important that you follow these steps for all tools and systems.
Using an FTP client
FTP Clients are tools used to connect your local device to an external server using either the FTP or SFTP protocol. Some popular examples of FTP Clients include FileZilla, WinSCP, CuteFTP, CoreFTP, Cyberduck, and Transmit.
If you are using an FTP Client, you should make sure you upgrade your software to the most recent version. Simply upgrading an FTP client will often apply the more recent/up-to-date ciphers by default. This should be the first step in upgrading your ciphers.
Using a custom script
If you are connecting with DailyPay with a custom automation run from command prompt (Windows) or terminal (MacOS) on your local device, you will need to confirm if you are currently passing the correct ciphers in your scripting.
Example when using command prompt/terminal:
-c (cipher) specifies one or more (comma-separated) encryption algorithms supported by the client. The cipher used for a given session is the cipher highest in the client's order of preference that is also supported by the server.
-m (mac algorithm) Specifies which MACs (message authentication codes) are supported for this connection.
An example of flagging cipher and mac algorithms in syntax:
sftp -c aes128-ctr -m hmac-sha256 username@connect.dailypay.com
See the section Supported Ciphers below full list of supported encryption standards and cipher naming.
Using a custom application or tool
If your organization has a tool or system that has been developed in-house to automate SFTP transfers, you will need to connect with your IT department or engineering resources to inform them of the required upgrade and coordinate internal updates. Please reference the section Supported Ciphers below to make sure your team has the information necessary to continue connecting with DailyPay’s server.
Our team will be happy to provide additional resources or assistance through this process pending your needs. Please contact client.support@dailypay.com if there are questions or challenges around upgrading your internal systems.
Supported ciphers
DailyPay’s SFTP service is provided through Files.com. Like other SFTP servers, Files.com adheres to RFC4253, section 7.1 when negotiating with SFTP clients to decide which ciphers to use. Files.com's choice of default ciphers and other security capabilities earns an A+ Rating on the Qualys SSL grader.
Simply put, the SFTP client will send the list of ciphers it supports in order of preference, and the server will choose the first cipher on the list that it also supports. Hence, the choice is biased towards the client's preferences.
Your SFTP app and Files.com will only connect if both sides agree to use a secure cipher. Insecure ciphers can be rejected by either side. Make sure that your SFTP app uses a supported secure cipher. A well-written, properly-configured, and up-to-date client will prefer secure ciphers to insecure ciphers.
SFTP implements its own encryption standards and cipher naming. By default, Files.com supports the following security algorithms for SFTP:
TYPE | ALGORITHMS |
Key Exchange |
curve25519-sha256 curve25519-sha256@libssh.org curve448-sha512 diffie-hellman-group-exchange-sha256 diffie-hellman-group18-sha512 diffie-hellman-group17-sha512 diffie-hellman-group16-sha512 diffie-hellman-group15-sha512 diffie-hellman-group14-sha256 |
Server Host Key Algorithms |
ssh-rsa rsa-sha2-256 rsa-sha2-512 |
Encryption |
chacha20-poly1305@openssh.com aes128-ctr (a.k.a. AES-128 SDCTR [AES-NI accelerated]) aes192-ctr (a.k.a. AES-192 SDCTR [AES-NI accelerated]) aes256-ctr (a.k.a. AES-256 SDCTR [AES-NI accelerated]) aes128-gcm@openssh.com aes256-gcm@openssh.com |
MAC (Message Authentication Codes) |
hmac-sha2-256 hmac-sha2-512 hmac-sha1 hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com hmac-sha1-etm@openssh.com |
Comments
Please sign in to leave a comment.