Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
Políticas de seguridad para servidores AWS Transfer Family
Las políticas de seguridad del servidor AWS Transfer Family le permiten limitar el conjunto de algoritmos criptográficos (códigos de autenticación de mensajes (MAC), intercambios de claves (KEX) y conjuntos de cifrado) asociados a su servidor. Para consultar una lista de los algoritmos criptográficos admitidos, consulte Algoritmos criptográficos. Para obtener una lista de los algoritmos clave admitidos para su uso con las claves del host del servidor y las claves de usuario administradas por el servicio, consulte Algoritmos admitidos para las claves de usuario y del servidor.
nota
Le recomendamos encarecidamente que actualice sus servidores a nuestra política de seguridad más reciente. Nuestra política de seguridad más reciente es la predeterminada. A cualquier cliente que cree un servidor Transfer Family utilizando CloudFormation y aceptando la política de seguridad predeterminada se le asignará automáticamente la última política. Si le preocupa la compatibilidad de los clientes, indique afirmativamente qué política de seguridad desea utilizar al crear o actualizar un servidor en lugar de utilizar la política predeterminada, que está sujeta a cambios.
Para cambiar la política de seguridad de un servidor, consulteEditar la política de seguridad.
Para obtener más información sobre la seguridad de Transfer Family, consulta la entrada del blog Cómo Transfer Family puede ayudarte a crear una solución de transferencia de archivos gestionada segura y compatible
Temas
- Algoritmos criptográficos
- TransferSecurityPolicy-2024-01
- TransferSecurityPolicy-2023-05
- TransferSecurityPolicy-2022-03
- TransferSecurityPolicy-2020-06 y -Restringido- 2020-06 TransferSecurityPolicy
- TransferSecurityPolicy-2018-11 TransferSecurityPolicy y -Restricted-2018-11
- TransferSecurityPolicyTransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05
- TransferSecurityPolicy-FIPS-2023-05
- TransferSecurityPolicy-FIPS-2020-06
- Políticas de seguridad poscuánticas
nota
TransferSecurityPolicy-2024-01es la política de seguridad predeterminada que se adjunta al servidor al crear un servidor mediante la consola, la API o la CLI.
Algoritmos criptográficos
Para las claves de host, admitimos los siguientes algoritmos:
-
rsa-sha2-256 -
rsa-sha2-512 -
ecdsa-sha2-nistp256 -
ecdsa-sha2-nistp384 -
ecdsa-sha2-nistp521 -
ssh-ed25519
Además, las siguientes políticas de seguridad permitenssh-rsa:
-
TransferSecurityPolicy-2018-11
-
TransferSecurityPolicy-2020-06
-
TransferSecurityPolicy-FIPS-2020-06
-
TransferSecurityPolicy-FIPS-2023-05
-
TransferSecurityPolicy-FIPS-2024-01
-
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
nota
Es importante entender la diferencia entre el tipo de clave RSA (que es siempressh-rsa) y el algoritmo de clave host de RSA, que puede ser cualquiera de los algoritmos compatibles.
La siguiente es una lista de los algoritmos criptográficos admitidos con cada política de seguridad.
nota
En la tabla y las políticas siguientes, anote el siguiente uso de los tipos de algoritmos.
-
Los servidores SFTP solo utilizan algoritmos en las SshMacssecciones SshCiphersSshKexs, y.
-
Los servidores FTPS solo utilizan los algoritmos de la TlsCipherssección.
-
Los servidores FTP, dado que no utilizan cifrado, no utilizan ninguno de estos algoritmos.
-
Las políticas de seguridad FIPS-2024-05 y FIPS-2024-01 son idénticas, excepto que FIPS-2024-05 no admite el algoritmo.
ssh-rsa -
Transfer Family ha introducido nuevas políticas restringidas que son muy paralelas a las políticas existentes:
-
Las políticas de seguridad TransferSecurityPolicy -Restricted-2018-11 y TransferSecurityPolicy -2018-11 son idénticas, excepto que la política restringida no admite el cifrado.
chacha20-poly1305@openssh.com -
Las políticas de seguridad TransferSecurityPolicy -Restricted-2020-06 y TransferSecurityPolicy -2020-06 son idénticas, con la salvedad de que la política restringida no admite el cifrado.
chacha20-poly1305@openssh.com
* En la siguiente tabla, el cifrado solo se incluye en la política no restringida,
chacha20-poly1305@openssh.com -
| Política de seguridad | 2024-01 | 2023-05 | 2022-03 |
2020-06 2020-06 restringido |
FIPS-2024-05 FIPS-2024-01 |
FIPS-2023-05 | FIPS-2020-06 |
2018-11 2018-11 restringido |
|---|---|---|---|---|---|---|---|---|
|
SshCiphers |
||||||||
|
aes128-ctr |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
chacha20-poly1305@openssh.com |
|
♦* |
♦* |
|||||
|
SshKexs |
||||||||
|
curva 25519-sha256 |
♦ |
♦ |
♦ |
|
|
♦ |
||
|
curve25519-sha256@libssh.org |
♦ |
♦ |
♦ |
|
|
♦ |
||
|
diffie-hellman-group14-sha1 |
|
|
|
♦ |
||||
|
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
||||
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
| ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org | ♦ | ♦ | ||||||
| ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org | ♦ | ♦ | ||||||
| ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org | ♦ | ♦ | ||||||
|
ecdh-sha2-nistp256 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
ecdh-sha2-nistp384 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
ecdh-sha2-nistp521 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
| x25519-kyber-512r3-sha256-d00@amazon.com | ♦ | |||||||
|
SshMacs |
||||||||
|
hmac-sha1 |
|
|
|
♦ |
||||
|
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
||||
|
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
||||
|
umac-128@openssh.com |
|
♦ |
|
♦ |
||||
|
umac-64-etm@openssh.com |
|
|
|
♦ |
||||
|
umac-64@openssh.com |
|
|
|
♦ |
||||
|
TlsCiphers |
||||||||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
|
♦ |
||
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
|
|
|
|
♦ |
||
TransferSecurityPolicy-2024-01
A continuación se muestra la política de seguridad TransferSecurityPolicy -2024-01.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2023-05
A continuación se muestra la política de seguridad de TransferSecurityPolicy -2023-05.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
A continuación se muestra la política de seguridad del TransferSecurityPolicy -2022-03.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2020-06 y -Restringido- 2020-06 TransferSecurityPolicy
A continuación se muestra la política de seguridad de la versión TransferSecurityPolicy -2020-06.
nota
Las políticas de seguridad TransferSecurityPolicy -Restricted-2020-06 y TransferSecurityPolicy -2020-06 son idénticas, excepto que la política restringida no admite el cifrado. chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11 TransferSecurityPolicy y -Restricted-2018-11
A continuación se muestra la política de seguridad del modelo TransferSecurityPolicy -2018-11.
nota
Las políticas de seguridad TransferSecurityPolicy -Restricted-2018-11 y TransferSecurityPolicy -2018-11 son idénticas, excepto que la política restringida no admite el cifrado. chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicyTransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05
A continuación se muestran las políticas de seguridad -FIPS-2024-01 y TransferSecurityPolicy -FIPS-2024-05. TransferSecurityPolicy
nota
El punto final del servicio FIPS y las políticas de seguridad -FIPS-2024-01 y -FIPS-2024-05 solo están disponibles en algunas regiones. TransferSecurityPolicy TransferSecurityPolicy AWS Para obtener más información, consulte Puntos de conexión y cuotas de AWS Transfer Family en la Referencia general de AWS.
La única diferencia entre estas dos políticas de seguridad es que -FIPS-2024-01 es compatible con el algoritmo y -FIPS-2024-05 no. TransferSecurityPolicy ssh-rsa TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2023-05
Los detalles de la certificación FIPS se encuentran en AWS Transfer Family https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
A continuación se muestra la política de seguridad TransferSecurityPolicy -FIPS-2023-05.
nota
El punto final del servicio FIPS y la política de seguridad TransferSecurityPolicy -FIPS-2023-05 solo están disponibles en algunas regiones. AWS Para obtener más información, consulte Puntos de conexión y cuotas de AWS Transfer Family en la Referencia general de AWS.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2020-06
Los detalles de la certificación FIPS se encuentran en AWS Transfer Family https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
A continuación se muestra la política de seguridad TransferSecurityPolicy -FIPS-2020-06.
nota
El punto final del servicio FIPS y la política de seguridad TransferSecurityPolicy -FIPS-2020-06 solo están disponibles en algunas regiones. AWS Para obtener más información, consulte Puntos de conexión y cuotas de AWS Transfer Family en la Referencia general de AWS.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
Políticas de seguridad poscuánticas
En esta tabla, se enumeran los algoritmos de las políticas de seguridad poscuántica de Transfer Family. Estas políticas se describen en detalle en Uso del intercambio de claves híbrido poscuántico con AWS Transfer Family.
La lista de políticas sigue la tabla.
| Política de seguridad | TransferSecurityPolicy-PQ-SSH-Experimental-2023-04 | TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04 |
|---|---|---|
|
SSH ciphers |
||
|
aes128-ctr |
|
♦ |
|
aes128-gcm@openssh.com |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
|
KEXs |
||
| ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org |
♦ |
♦ |
| x25519-kyber-512r3-sha256-d00@amazon.com |
♦ |
|
|
diffie-hellman-group14-sha256 |
♦ | |
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
|
ecdh-sha2-nistp384 |
|
♦ |
|
ecdh-sha2-nistp521 |
|
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
|
ecdh-sha2-nistp256 |
|
♦ |
|
curve25519-sha256@libssh.org |
♦ |
|
|
curva 25519-sha256 |
♦ |
|
|
MACs |
||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-256 |
♦ |
♦ |
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
|
TLS ciphers |
||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
TransferSecurityPolicy-PQ-SSH-Experimental-2023-04
A continuación se muestra la política de seguridad del -PQ-SSH-Experimental-2023-04. TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
A continuación se muestra la política de seguridad del -PQ-SSH-FIPS-Experimental-2023-04. TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
