的安全策略 Amazon Transfer Family - Amazon Transfer Family
加密算法TransferSecurityPolicy-2024-01TransferSecurityPolicy-2023-05TransferSecurityPolicy-2022-03TransferSecurityPolicy-2020-06TransferSecurityPolicy-2018-11TransferSecurityPolicy--2024 FIPS -01TransferSecurityPolicy-FIPS -2023-05TransferSecurityPolicy--2020 FIPS -06后量子安全策略
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

的安全策略 Amazon Transfer Family

中的服务器安全策略 Amazon Transfer Family 允许您限制与服务器关联的一组加密算法(消息身份验证码 (MACs)、密钥交换 (KEXs) 和密码套件)。有关支持的密钥算法的列表,请参阅 加密算法。有关支持的服务器主机秘钥和服务托管用户秘钥算法列表,请参见 所支持的用户和服务器密钥算法

注意

我们强烈建议将您的服务器更新为我们的最新安全政策。我们最新的安全策略是默认的。任何使用默认安全策略创建 Transfer Family 服务器 CloudFormation并接受默认安全策略的客户都将自动获得最新策略。如果您担心客户端兼容性,请明确说明在创建或更新服务器时您希望使用哪种安全策略,而不是使用默认策略,默认策略可能会发生变化。

要更改服务器的安全策略,请参阅编辑安全策略

有关 Transfer Family 安全性的更多信息,请参阅博客文章《Transfer F amily 如何帮助您构建安全、合规的托管文件传输解决方案》。

注意

TransferSecurityPolicy-2024-01是使用控制台创建服务器时附加到服务器的默认安全策略API、或CLI。

加密算法

对于主机密钥,我们支持以下算法:

  • rsa-sha-256

  • rsa-sha-512

  • ecdsa-sha2-nistp256

  • ecdsa-sha2-nistp384

  • ecdsa-sha2-nistp512

  • ssh-ed25519

此外,2018 年和 2020 年的安全政策还允许ssh-rsa

注意

重要的是要了解RSA密钥类型(始终是)和RSA主机密钥算法(可以是任何支持的算法ssh-rsa)之间的区别。

以下是各种安全策略支持的加密算法列表。

注意

在下表和策略中,请注意算法类型的以下用法。

  • SFTP服务器仅使用SshCiphersSshKexs、和SshMacs部分中的算法。

  • FTPS服务器仅使用该TlsCiphers部分中的算法。

  • FTP由于服务器不使用加密,因此不使用任何这些算法。

安全策略 2024-01 2023-05 2022-03 2020-06 FIPS-2024-01 FIPS-2023-05 FIPS-2020-06 2018-11

SshCiphers

aes128-ctr

 

aes128-gcm@openssh.com

aes192-ctr

aes256-ctr

aes256-gcm@openssh.com

chacha20-poly1305@openssh.com

 

SshKexs

curve25519-sha256

 

 

curve25519-sha256@libssh.org

 

 

diffie-hellman-group14-sha1

 

 

 

diffie-hellman-group14-sha256

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

diffie-hellman-group-exchange-sha256

ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org
ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org
ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org

ecdh-sha2-nistp256

 

ecdh-sha2-nistp384

 

ecdh-sha2-nistp521

 

x25519-kyber-512r3-sha256-d00@amazon.com

SshMacs

hmac-sha1

 

 

 

hmac-sha1-etm@openssh.com

 

 

 

hmac-sha2-256

hmac-sha2-256-etm@openssh.com

hmac-sha2-512

hmac-sha2-512-etm@openssh.com

umac-128-etm@openssh.com

 

 

umac-128@openssh.com

 

 

umac-64-etm@openssh.com

 

 

 

umac-64@openssh.com

 

 

 

TlsCiphers

TLS_ _ ECDHE ECDSA _ AES _128 WITH CBC _ _ SHA256

TLS_ _ ECDHE ECDSA _ AES _128 WITH GCM _ _ SHA256

TLS_ _ ECDHE ECDSA _ AES _256 WITH CBC _ _ SHA384

TLS_ _ ECDHE ECDSA _ AES _256 WITH GCM _ _ SHA384

TLS_ _ ECDHE RSA _ AES _128 WITH CBC _ _ SHA256

TLS_ _ ECDHE RSA _ AES _128 WITH GCM _ _ SHA256

TLS_ _ ECDHE RSA _ AES _256 WITH CBC _ _ SHA384

TLS_ _ ECDHE RSA _ AES _256 WITH GCM _ _ SHA384

TLS_ RSA _ AES _128 WITH CBC _ _ SHA256

 

 

 

 

 

TLS_ RSA _ AES _256 WITH CBC _ _ SHA256

 

 

 

 

 

TransferSecurityPolicy-2024-01

以下显示了 TransferSecurityPolicy -2024-01 安全策略。

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2024-01",
        "SshCiphers": [
            "aes128-gcm@openssh.com",
            "aes256-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",
            "x25519-kyber-512r3-sha256-d00@amazon.com",
            "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",
            "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy-2023-05

以下显示了 TransferSecurityPolicy -2023-05 安全策略。

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-2023-05",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-512-etm@openssh.com",
            "hmac-sha2-256-etm@openssh.com"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy-2022-03

以下显示了 TransferSecurityPolicy -2022-03 安全策略。

{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2022-03",
    "SshCiphers": [
      "aes256-gcm@openssh.com",
      "aes128-gcm@openssh.com",
      "aes256-ctr",
      "aes192-ctr"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group-exchange-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512",
      "hmac-sha2-256"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}

TransferSecurityPolicy-2020-06

以下显示了 TransferSecurityPolicy -2020-06 安全策略。

{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2020-06",
    "SshCiphers": [
      "chacha20-poly1305@openssh.com",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256"
    ],
    "SshMacs": [
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}

TransferSecurityPolicy-2018-11

以下显示了 TransferSecurityPolicy -2018-11 的安全策略。

{
  "SecurityPolicy": {
    "Fips": false,
    "SecurityPolicyName": "TransferSecurityPolicy-2018-11",
    "SshCiphers": [
      "chacha20-poly1305@openssh.com",
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "curve25519-sha256",
      "curve25519-sha256@libssh.org",
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256",
      "diffie-hellman-group14-sha1"
    ],
    "SshMacs": [
      "umac-64-etm@openssh.com",
      "umac-128-etm@openssh.com",
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha1-etm@openssh.com",
      "umac-64@openssh.com",
      "umac-128@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512",
      "hmac-sha1"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
      "TLS_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_RSA_WITH_AES_256_CBC_SHA256"
    ]
  }
}

TransferSecurityPolicy--2024 FIPS -01

以下显示了 TransferSecurityPolicy-FIPS -2024-01 安全策略。

注意

FIPS服务终端节点和 TransferSecurityPolicy FIPS -2024-01 安全策略仅在某些地区可用。 Amazon 有关更多信息,请参阅 Amazon Web Services 一般参考 中的 Amazon Transfer Family 端点和配额

{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01",
        "SshCiphers": [
            "aes128-gcm@openssh.com",
            "aes256-gcm@openssh.com",
            "aes128-ctr",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",
            "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",
            "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy-FIPS -2023-05

的FIPS认证详情 Amazon Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

以下显示了 TransferSecurityPolicy-FIPS -2023-05 安全策略。

注意

FIPS服务终端节点和 TransferSecurityPolicy FIPS -2023-05 安全策略仅在某些地区可用。 Amazon 有关更多信息,请参阅 Amazon Web Services 一般参考 中的 Amazon Transfer Family 端点和配额

{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512-etm@openssh.com"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy--2020 FIPS -06

的FIPS认证详情 Amazon Transfer Family 可在以下网址找到 https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all

以下显示了 TransferSecurityPolicy-FIPS -2020-06 安全策略。

注意

FIPS服务终端节点和 TransferSecurityPolicy FIPS -2020-06 安全策略仅在某些 Amazon 地区可用。有关更多信息,请参阅 Amazon Web Services 一般参考 中的 Amazon Transfer Family 端点和配额

{
  "SecurityPolicy": {
    "Fips": true,
    "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06",
    "SshCiphers": [
      "aes128-ctr",
      "aes192-ctr",
      "aes256-ctr",
      "aes128-gcm@openssh.com",
      "aes256-gcm@openssh.com"
    ],
    "SshKexs": [
      "ecdh-sha2-nistp256",
      "ecdh-sha2-nistp384",
      "ecdh-sha2-nistp521",
      "diffie-hellman-group-exchange-sha256",
      "diffie-hellman-group16-sha512",
      "diffie-hellman-group18-sha512",
      "diffie-hellman-group14-sha256"
    ],
    "SshMacs": [
      "hmac-sha2-256-etm@openssh.com",
      "hmac-sha2-512-etm@openssh.com",
      "hmac-sha2-256",
      "hmac-sha2-512"
    ],
    "TlsCiphers": [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
    ]
  }
}

后量子安全策略

下表列出了 Transfer Family 后量子安全策略算法。有关此策略的详细描述,请参见使用与 Amazon Transfer Family的混合后量子密钥交换

政策列表如下表所示。

安全策略 TransferSecurityPolicy-PQ--Experimental-2023-04 SSH TransferSecurityPolicy-PQ---Experimental-2023-04 SSH FIPS

SSH ciphers

aes128-ctr

 

aes128-gcm@openssh.com

aes192-ctr

aes256-ctr

aes256-gcm@openssh.com

KEXs
ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org

ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org

ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org

x25519-kyber-512r3-sha256-d00@amazon.com

 

diffie-hellman-group14-sha256

  

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

ecdh-sha2-nistp384

 

ecdh-sha2-nistp521

 

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

 

curve25519-sha256@libssh.org

 

curve25519-sha256

 

MACs

hmac-sha2-256-etm@openssh.com

hmac-sha2-256

hmac-sha2-512-etm@openssh.com

hmac-sha2-512

TLS ciphers

TLS_ _ ECDHE ECDSA _ AES _128 WITH CBC _ _ SHA256

TLS_ _ ECDHE ECDSA _ AES _128 WITH GCM _ _ SHA256

TLS_ _ ECDHE ECDSA _ AES _256 WITH CBC _ _ SHA384

TLS_ _ ECDHE ECDSA _ AES _256 WITH GCM _ _ SHA384

TLS_ _ ECDHE RSA _ AES _128 WITH CBC _ _ SHA256

TLS_ _ ECDHE RSA _ AES _128 WITH GCM _ _ SHA256

TLS_ _ ECDHE RSA _ AES _256 WITH CBC _ _ SHA384

TLS_ _ ECDHE RSA _ AES _256 WITH GCM _ _ SHA384

TransferSecurityPolicy-PQ--Experimental-2023-04 SSH

以下显示了 TransferSecurityPolicy-PQ-SSH-Experimental -2023-04 安全策略。

{
    "SecurityPolicy": {
        "Fips": false,
        "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr"
        ],
        "SshKexs": [
            "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",
            "x25519-kyber-512r3-sha256-d00@amazon.com",
            "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",
            "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",
            "curve25519-sha256",
            "curve25519-sha256@libssh.org",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group-exchange-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-512-etm@openssh.com",
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512",
            "hmac-sha2-256"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}

TransferSecurityPolicy-PQ---Experimental-2023-04 SSH FIPS

以下显示了 TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 安全策略。

{
    "SecurityPolicy": {
        "Fips": true,
        "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04",
        "SshCiphers": [
            "aes256-gcm@openssh.com",
            "aes128-gcm@openssh.com",
            "aes256-ctr",
            "aes192-ctr",
            "aes128-ctr"
        ],
        "SshKexs": [
            "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org",
            "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org",
            "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org",
            "ecdh-sha2-nistp256",
            "ecdh-sha2-nistp384",
            "ecdh-sha2-nistp521",
            "diffie-hellman-group-exchange-sha256",
            "diffie-hellman-group16-sha512",
            "diffie-hellman-group18-sha512",
            "diffie-hellman-group14-sha256"
        ],
        "SshMacs": [
            "hmac-sha2-512-etm@openssh.com",
            "hmac-sha2-256-etm@openssh.com",
            "hmac-sha2-512",
            "hmac-sha2-256"
        ],
        "TlsCiphers": [
            "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
            "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
            "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
            "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
        ]
    }
}