Security policies for Amazon Transfer Family servers
Server security policies in Amazon Transfer Family allow you to limit the set of cryptographic algorithms (message authentication codes (MACs), key exchanges (KEXs), and cipher suites) associated with your server. For a list of supported cryptographic algorithms, see Cryptographic algorithms. For a list of supported key algorithms for use with server host keys and service-managed user keys, see Supported algorithms for user and server keys.
Note
We strongly recommend updating your servers to our latest security policy. Our latest security policy is the default. Any customer who creates a Transfer Family server using CloudFormation and accepts the default security policy will be automatically assigned the latest policy. If you are concerned about client compatibility, please affirmatively state which security policy you wish to use when creating or updating a server rather than using the default policy, which is subject to change.
To change the security policy for a server, see Edit the security policy.
For more information on security in Transfer Family, see the blog post, How Transfer Family can help you build a secure, compliant managed file transfer solution
Topics
- Cryptographic algorithms
- TransferSecurityPolicy-2024-01
- TransferSecurityPolicy-2023-05
- TransferSecurityPolicy-2022-03
- TransferSecurityPolicy-2020-06
- TransferSecurityPolicy-2018-11
- TransferSecurityPolicy-FIPS-2024-01
- TransferSecurityPolicy-FIPS-2023-05
- TransferSecurityPolicy-FIPS-2020-06
- Post Quantum security policies
Note
TransferSecurityPolicy-2024-01 is the default security policy
attached to your server when creating a server using the console, API, or CLI.
Cryptographic algorithms
For host keys, we support the following algorithms:
-
rsa-sha2-256 -
rsa-sha2-512 -
ecdsa-sha2-nistp256 -
ecdsa-sha2-nistp384 -
ecdsa-sha2-nistp521 -
ssh-ed25519
Additionally, the 2018 and 2020 security policies allow ssh-rsa.
Note
It is important to understand the distinction between the RSA key
type—which is always ssh-rsa—and the RSA host key
algorithm, which can be any of the supported algorithms.
The following is a list of supported cryptographic algorithms for each security policy.
Note
In the following table and policies, note the following use of algorithm types.
-
SFTP servers only use algorithms in the SshCiphers, SshKexs, and SshMacs sections.
-
FTPS servers only use algorithms in the TlsCiphers section.
-
FTP servers, since they don't use encryption, do not use any of these algorithms.
| Security policy | 2024-01 | 2023-05 | 2022-03 | 2020-06 | FIPS-2024-01 | FIPS-2023-05 | FIPS-2020-06 | 2018-11 |
|---|---|---|---|---|---|---|---|---|
|
SshCiphers |
||||||||
|
aes128-ctr |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
chacha20-poly1305@openssh.com |
|
♦ |
♦ |
|||||
|
SshKexs |
||||||||
|
curve25519-sha256 |
♦ |
♦ |
♦ |
|
|
♦ |
||
|
curve25519-sha256@libssh.org |
♦ |
♦ |
♦ |
|
|
♦ |
||
|
diffie-hellman-group14-sha1 |
|
|
|
♦ |
||||
|
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
||||
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
||
| ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org | ♦ | ♦ | ||||||
| ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org | ♦ | ♦ | ||||||
| ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org | ♦ | ♦ | ||||||
|
ecdh-sha2-nistp256 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
ecdh-sha2-nistp384 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
ecdh-sha2-nistp521 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
| x25519-kyber-512r3-sha256-d00@amazon.com | ♦ | |||||||
|
SshMacs |
||||||||
|
hmac-sha1 |
|
|
|
♦ |
||||
|
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
||||
|
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
||||
|
umac-128@openssh.com |
|
♦ |
|
♦ |
||||
|
umac-64-etm@openssh.com |
|
|
|
♦ |
||||
|
umac-64@openssh.com |
|
|
|
♦ |
||||
|
TlsCiphers |
||||||||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
|
♦ |
||
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
|
|
|
|
♦ |
||
TransferSecurityPolicy-2024-01
The following shows the TransferSecurityPolicy-2024-01 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2023-05
The following shows the TransferSecurityPolicy-2023-05 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
The following shows the TransferSecurityPolicy-2022-03 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06
The following shows the TransferSecurityPolicy-2020-06 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11
The following shows the TransferSecurityPolicy-2018-11 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicy-FIPS-2024-01
The following shows the TransferSecurityPolicy-FIPS-2024-01 security policy.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2024-01 security policy is only available in some Amazon Regions. For more information, see Amazon Transfer Family endpoints and quotas in the Amazon Web Services General Reference.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2023-05
The FIPS certification details for Amazon Transfer Family can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
The following shows the TransferSecurityPolicy-FIPS-2023-05 security policy.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2023-05 security policy is only available in some Amazon Regions. For more information, see Amazon Transfer Family endpoints and quotas in the Amazon Web Services General Reference.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2020-06
The FIPS certification details for Amazon Transfer Family can be found at https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
The following shows the TransferSecurityPolicy-FIPS-2020-06 security policy.
Note
The FIPS service endpoint and TransferSecurityPolicy-FIPS-2020-06 security policy are only available in some Amazon Regions. For more information, see Amazon Transfer Family endpoints and quotas in the Amazon Web Services General Reference.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
Post Quantum security policies
This table lists the algorithms for the Transfer Family post quantum security policies. These polices are described in detail in Using hybrid post-quantum key exchange with Amazon Transfer Family.
The policy listings follow the table.
| Security policy | TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 | TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 |
|---|---|---|
|
SSH ciphers |
||
|
aes128-ctr |
|
♦ |
|
aes128-gcm@openssh.com |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
|
KEXs |
||
| ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org |
♦ |
♦ |
| x25519-kyber-512r3-sha256-d00@amazon.com |
♦ |
|
|
diffie-hellman-group14-sha256 |
♦ | |
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
|
ecdh-sha2-nistp384 |
|
♦ |
|
ecdh-sha2-nistp521 |
|
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
|
ecdh-sha2-nistp256 |
|
♦ |
|
curve25519-sha256@libssh.org |
♦ |
|
|
curve25519-sha256 |
♦ |
|
|
MACs |
||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-256 |
♦ |
♦ |
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
|
TLS ciphers |
||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
TransferSecurityPolicy-PQ-SSH-Experimental-2023-04
The following shows the TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 security policy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
The following shows the TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 security policy.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }