本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
的安全策略 Amazon Transfer Family
中的服务器安全策略 Amazon Transfer Family 允许您限制与服务器关联的一组加密算法(消息身份验证码 (MACs)、密钥交换 (KEXs) 和密码套件)。有关支持的密钥算法的列表,请参阅 加密算法。有关支持的服务器主机秘钥和服务托管用户秘钥算法列表,请参见 所支持的用户和服务器密钥算法。
注意
我们强烈建议将您的服务器更新为我们的最新安全政策。我们最新的安全策略是默认的。任何使用默认安全策略创建 Transfer Family 服务器 CloudFormation并接受默认安全策略的客户都将自动获得最新策略。如果您担心客户端兼容性,请明确说明在创建或更新服务器时您希望使用哪种安全策略,而不是使用默认策略,默认策略可能会发生变化。
要更改服务器的安全策略,请参阅编辑安全策略。
有关 Transfer Family 安全性的更多信息,请参阅博客文章《Transfer F amily 如何帮助您构建安全、合规的托管文件传输解决方案
主题
注意
TransferSecurityPolicy-2024-01
是使用控制台创建服务器时附加到服务器的默认安全策略API、或CLI。
加密算法
对于主机密钥,我们支持以下算法:
-
rsa-sha-256
-
rsa-sha-512
-
ecdsa-sha2-nistp256
-
ecdsa-sha2-nistp384
-
ecdsa-sha2-nistp512
-
ssh-ed25519
此外,2018 年和 2020 年的安全政策还允许ssh-rsa
。
注意
重要的是要了解RSA密钥类型(始终是)和RSA主机密钥算法(可以是任何支持的算法ssh-rsa
)之间的区别。
以下是各种安全策略支持的加密算法列表。
注意
在下表和策略中,请注意算法类型的以下用法。
-
SFTP服务器仅使用SshCiphersSshKexs、和SshMacs部分中的算法。
-
FTPS服务器仅使用该TlsCiphers部分中的算法。
-
FTP由于服务器不使用加密,因此不使用任何这些算法。
安全策略 | 2024-01 | 2023-05 | 2022-03 | 2020-06 | FIPS-2024-01 | FIPS-2023-05 | FIPS-2020-06 | 2018-11 |
---|---|---|---|---|---|---|---|---|
SshCiphers |
||||||||
aes128-ctr |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
chacha20-poly1305@openssh.com |
|
♦ |
♦ |
|||||
SshKexs |
||||||||
curve25519-sha256 |
♦ |
♦ |
♦ |
|
|
♦ |
||
curve25519-sha256@libssh.org |
♦ |
♦ |
♦ |
|
|
♦ |
||
diffie-hellman-group14-sha1 |
|
|
|
♦ |
||||
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
||||
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
||
ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org | ♦ | ♦ | ||||||
ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org | ♦ | ♦ | ||||||
ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org | ♦ | ♦ | ||||||
ecdh-sha2-nistp256 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
ecdh-sha2-nistp384 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
ecdh-sha2-nistp521 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
x25519-kyber-512r3-sha256-d00@amazon.com | ♦ | |||||||
SshMacs |
||||||||
hmac-sha1 |
|
|
|
♦ |
||||
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
||||
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
||||
umac-128@openssh.com |
|
♦ |
|
♦ |
||||
umac-64-etm@openssh.com |
|
|
|
♦ |
||||
umac-64@openssh.com |
|
|
|
♦ |
||||
TlsCiphers |
||||||||
TLS_ _ ECDHE ECDSA _ AES _128 WITH CBC _ _ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ _ ECDHE ECDSA _ AES _128 WITH GCM _ _ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ _ ECDHE ECDSA _ AES _256 WITH CBC _ _ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ _ ECDHE ECDSA _ AES _256 WITH GCM _ _ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _128 WITH CBC _ _ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _128 WITH GCM _ _ SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _256 WITH CBC _ _ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _256 WITH GCM _ _ SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
TLS_ RSA _ AES _128 WITH CBC _ _ SHA256 |
|
|
|
|
|
♦ |
||
TLS_ RSA _ AES _256 WITH CBC _ _ SHA256 |
|
|
|
|
|
♦ |
TransferSecurityPolicy-2024-01
以下显示了 TransferSecurityPolicy -2024-01 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2023-05
以下显示了 TransferSecurityPolicy -2023-05 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
以下显示了 TransferSecurityPolicy -2022-03 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06
以下显示了 TransferSecurityPolicy -2020-06 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11
以下显示了 TransferSecurityPolicy -2018-11 的安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicy--2024 FIPS -01
以下显示了 TransferSecurityPolicy-FIPS -2024-01 安全策略。
注意
FIPS服务终端节点和 TransferSecurityPolicy FIPS -2024-01 安全策略仅在某些地区可用。 Amazon 有关更多信息,请参阅 Amazon Web Services 一般参考 中的 Amazon Transfer Family 端点和配额。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS -2023-05
的FIPS认证详情 Amazon Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
以下显示了 TransferSecurityPolicy-FIPS -2023-05 安全策略。
注意
FIPS服务终端节点和 TransferSecurityPolicy FIPS -2023-05 安全策略仅在某些地区可用。 Amazon 有关更多信息,请参阅 Amazon Web Services 一般参考 中的 Amazon Transfer Family 端点和配额。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy--2020 FIPS -06
的FIPS认证详情 Amazon Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
以下显示了 TransferSecurityPolicy-FIPS -2020-06 安全策略。
注意
FIPS服务终端节点和 TransferSecurityPolicy FIPS -2020-06 安全策略仅在某些 Amazon 地区可用。有关更多信息,请参阅 Amazon Web Services 一般参考 中的 Amazon Transfer Family 端点和配额。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
后量子安全策略
下表列出了 Transfer Family 后量子安全策略算法。有关此策略的详细描述,请参见使用与 Amazon Transfer Family的混合后量子密钥交换。
政策列表如下表所示。
安全策略 | TransferSecurityPolicy-PQ--Experimental-2023-04 SSH | TransferSecurityPolicy-PQ---Experimental-2023-04 SSH FIPS |
---|---|---|
SSH ciphers |
||
aes128-ctr |
|
♦ |
aes128-gcm@openssh.com |
♦ |
♦ |
aes192-ctr |
♦ |
♦ |
aes256-ctr |
♦ |
♦ |
aes256-gcm@openssh.com |
♦ |
♦ |
KEXs |
||
ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org |
♦ |
♦ |
ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org |
♦ |
♦ |
ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org |
♦ |
♦ |
x25519-kyber-512r3-sha256-d00@amazon.com |
♦ |
|
diffie-hellman-group14-sha256 |
♦ | |
diffie-hellman-group16-sha512 |
♦ |
♦ |
diffie-hellman-group18-sha512 |
♦ |
♦ |
ecdh-sha2-nistp384 |
|
♦ |
ecdh-sha2-nistp521 |
|
♦ |
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
ecdh-sha2-nistp256 |
|
♦ |
curve25519-sha256@libssh.org |
♦ |
|
curve25519-sha256 |
♦ |
|
MACs |
||
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
hmac-sha2-256 |
♦ |
♦ |
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
hmac-sha2-512 |
♦ |
♦ |
TLS ciphers |
||
TLS_ _ ECDHE ECDSA _ AES _128 WITH CBC _ _ SHA256 |
♦ |
♦ |
TLS_ _ ECDHE ECDSA _ AES _128 WITH GCM _ _ SHA256 |
♦ |
♦ |
TLS_ _ ECDHE ECDSA _ AES _256 WITH CBC _ _ SHA384 |
♦ |
♦ |
TLS_ _ ECDHE ECDSA _ AES _256 WITH GCM _ _ SHA384 |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _128 WITH CBC _ _ SHA256 |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _128 WITH GCM _ _ SHA256 |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _256 WITH CBC _ _ SHA384 |
♦ |
♦ |
TLS_ _ ECDHE RSA _ AES _256 WITH GCM _ _ SHA384 |
♦ |
♦ |
TransferSecurityPolicy-PQ--Experimental-2023-04 SSH
以下显示了 TransferSecurityPolicy-PQ-SSH-Experimental -2023-04 安全策略。
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-PQ---Experimental-2023-04 SSH FIPS
以下显示了 TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 安全策略。
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }