Le traduzioni sono generate tramite traduzione automatica. In caso di conflitto tra il contenuto di una traduzione e la versione originale in Inglese, quest'ultima prevarrà.
Politiche di sicurezza per AWS Transfer Family i server
Le politiche di sicurezza del server AWS Transfer Family consentono di limitare l'insieme di algoritmi crittografici (codici di autenticazione dei messaggi (MAC), scambi di chiavi (KEX) e suite di crittografia) associati al server. Per un elenco degli algoritmi crittografici supportati, vedere. Algoritmi crittografici Per un elenco degli algoritmi a chiave supportati da utilizzare con le chiavi dell'host del server e le chiavi utente gestite dal servizio, vedere. Algoritmi supportati per chiavi utente e server
Nota
Consigliamo vivamente di aggiornare i server alla nostra politica di sicurezza più recente. La nostra politica di sicurezza più recente è quella predefinita. A qualsiasi cliente che crea un server Transfer Family utilizzando CloudFormation e accetta la politica di sicurezza predefinita verrà assegnata automaticamente la politica più recente. Se sei preoccupato per la compatibilità dei client, indica affermativamente quale politica di sicurezza desideri utilizzare durante la creazione o l'aggiornamento di un server anziché utilizzare la politica predefinita, che è soggetta a modifiche.
Per modificare la politica di sicurezza di un server, consulta. Modifica la politica di sicurezza
Per ulteriori informazioni sulla sicurezza in Transfer Family, consulta il post del blog, Come Transfer Family può aiutarti a costruire una soluzione di trasferimento di file gestita sicura e conforme
Argomenti
- Algoritmi crittografici
- TransferSecurityPolicy-2024-01
- TransferSecurityPolicy-2023-05
- TransferSecurityPolicy-2022-03
- TransferSecurityPolicy TransferSecurityPolicy-2020-06 e -Restricted-2020-06
- TransferSecurityPolicy-2018-11 TransferSecurityPolicy e -Restricted-2018-11
- TransferSecurityPolicyTransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05
- TransferSecurityPolicy-FIPS-2023-05
- TransferSecurityPolicy-FIPS-2020-06
- Politiche di sicurezza post-quantistiche
Nota
TransferSecurityPolicy-2024-01è la politica di sicurezza predefinita allegata al server quando si crea un server utilizzando la console, l'API o la CLI.
Algoritmi crittografici
Per le chiavi host, supportiamo i seguenti algoritmi:
-
rsa-sha2-256 -
rsa-sha2-512 -
ecdsa-sha2-nistp256 -
ecdsa-sha2-nistp384 -
ecdsa-sha2-nistp521 -
ssh-ed25519
Inoltre, le seguenti politiche di sicurezza consentonossh-rsa:
-
TransferSecurityPolicy-2018-11
-
TransferSecurityPolicy-2020-06
-
TransferSecurityPolicy-FIPS-2020-06
-
TransferSecurityPolicy-FIPS-2023-05
-
TransferSecurityPolicy-FIPS-2024-01
-
TransferSecurityPolicy-PQ-SSH-FIPS-Sperimentale-2023-04
Nota
È importante comprendere la distinzione tra il tipo di chiave RSA, che è sempre, e l'algoritmo della chiave host RSA, che può essere uno qualsiasi degli algoritmi supportati. ssh-rsa
Di seguito è riportato un elenco di algoritmi crittografici supportati per ogni policy di sicurezza.
Nota
Nella tabella e nelle politiche seguenti, si noti il seguente utilizzo dei tipi di algoritmo.
-
I server SFTP utilizzano solo algoritmi nelle sezioni SshCiphersSshKexs, e SshMacs.
-
I server FTPS utilizzano solo gli algoritmi presenti nella sezione. TlsCiphers
-
I server FTP, poiché non utilizzano la crittografia, non utilizzano nessuno di questi algoritmi.
-
Le politiche di sicurezza FIPS-2024-05 e FIPS-2024-01 sono identiche, tranne per il fatto che FIPS-2024-05 non supporta l'algoritmo.
ssh-rsa -
Transfer Family ha introdotto nuove politiche limitate che sono strettamente parallele alle politiche esistenti:
-
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2018-11 e TransferSecurityPolicy -2018-11 sono identiche, tranne per il fatto che la politica con restrizioni non supporta il codice.
chacha20-poly1305@openssh.com -
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2020-06 e -2020-06 sono identiche, tranne per il fatto che la politica con restrizioni non supporta la TransferSecurityPolicy crittografia.
chacha20-poly1305@openssh.com
* Nella tabella seguente, il codice è incluso solo nella politica senza restrizioni,
chacha20-poly1305@openssh.com -
| Policy di sicurezza | 2024-01 | 2023-05 | 2022-03 |
2020-06 2020-06 limitato |
FIPS-2024-05 FIPS-2024-01 |
FIPS-2023-05 | FIPS-2020-06 |
2018-11 2018-11 limitato |
|---|---|---|---|---|---|---|---|---|
|
SshCiphers |
||||||||
|
aes128-ctr |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
aes128-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
chacha20-poly1305@openssh.com |
|
♦* |
♦* |
|||||
|
SshKexs |
||||||||
|
curva 25519-sha256 |
♦ |
♦ |
♦ |
|
|
♦ |
||
|
curve25519-sha256@libssh.org |
♦ |
♦ |
♦ |
|
|
♦ |
||
|
diffie-hellman-group14 - sha1 |
|
|
|
♦ |
||||
|
diffie-hellman-group14-sha256 |
|
♦ |
♦ |
♦ |
||||
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
| ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org | ♦ | ♦ | ||||||
| ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org | ♦ | ♦ | ||||||
| ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org | ♦ | ♦ | ||||||
|
ecdh-sha2-nistp256 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
ecdh-sha2-nistp384 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
|
ecdh-sha2-nistp521 |
♦ |
|
♦ |
♦ |
♦ |
♦ |
||
| x25519-kyber-512r3-sha256-d00@amazon.com | ♦ | |||||||
|
SshMacs |
||||||||
|
hmac-sha1 |
|
|
|
♦ |
||||
|
hmac-sha1-etm@openssh.com |
|
|
|
♦ |
||||
|
hmac-sha2-256 |
♦ |
♦ |
♦ |
♦ |
||||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
♦ |
♦ |
||||
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
umac-128-etm@openssh.com |
|
♦ |
|
♦ |
||||
|
umac-128@openssh.com |
|
♦ |
|
♦ |
||||
|
umac-64-etm@openssh.com |
|
|
|
♦ |
||||
|
umac-64@openssh.com |
|
|
|
♦ |
||||
|
TlsCiphers |
||||||||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
♦ |
|
TLS_RSA_WITH_AES_128_CBC_SHA256 |
|
|
|
|
|
♦ |
||
|
TLS_RSA_WITH_AES_256_CBC_SHA256 |
|
|
|
|
|
♦ |
||
TransferSecurityPolicy-2024-01
Di seguito viene illustrata la politica di sicurezza -2024-01 TransferSecurityPolicy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2023-05
Di seguito viene illustrata la politica di sicurezza TransferSecurityPolicy -2023-05.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2022-03
Di seguito viene illustrata la politica di sicurezza -2022-03 TransferSecurityPolicy.
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2022-03", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy TransferSecurityPolicy-2020-06 e -Restricted-2020-06
Di seguito viene illustrata la politica di sicurezza -2020-06 TransferSecurityPolicy.
Nota
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2020-06 e TransferSecurityPolicy -2020-06 sono identiche, tranne per il fatto che la politica con restrizioni non supporta la crittografia. chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2020-06", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2020-06 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-2018-11 TransferSecurityPolicy e -Restricted-2018-11
Di seguito viene illustrata la politica di sicurezza TransferSecurityPolicy -2018-11.
Nota
Le politiche di sicurezza TransferSecurityPolicy -Restricted-2018-11 e TransferSecurityPolicy -2018-11 sono identiche, tranne per il fatto che la politica con restrizioni non supporta il codice. chacha20-poly1305@openssh.com
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-2018-11", "SshCiphers": [ "chacha20-poly1305@openssh.com", //Not included in TransferSecurityPolicy-Restricted-2018-11 "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "curve25519-sha256", "curve25519-sha256@libssh.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256", "diffie-hellman-group14-sha1" ], "SshMacs": [ "umac-64-etm@openssh.com", "umac-128-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha1-etm@openssh.com", "umac-64@openssh.com", "umac-128@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256" ] } }
TransferSecurityPolicyTransferSecurityPolicy-FIPS-2024-01/ -FIPS-2024-05
Di seguito vengono illustrate le politiche di sicurezza -FIPS-2024-01 e -FIPS-2024-05. TransferSecurityPolicy TransferSecurityPolicy
Nota
L'endpoint del servizio FIPS e le politiche di sicurezza -FIPS-2024-01 e -FIPS-2024-05 sono disponibili solo in alcune regioni. TransferSecurityPolicy TransferSecurityPolicy AWS Per ulteriori informazioni, consulta Endpoint e quote AWS Transfer Family nella Riferimenti generali di AWS.
L'unica differenza tra queste due politiche di sicurezza è che -FIPS-2024-01 supporta l'algoritmo e -FIPS-2024-05 no. TransferSecurityPolicy ssh-rsa TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2024-01", "SshCiphers": [ "aes128-gcm@openssh.com", "aes256-gcm@openssh.com", "aes128-ctr", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group18-sha512", "diffie-hellman-group16-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2023-05
I dettagli della certificazione FIPS per sono disponibili all'indirizzo AWS Transfer Family https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
Di seguito viene illustrata la politica di sicurezza TransferSecurityPolicy -FIPS-2023-05.
Nota
L'endpoint del servizio FIPS e la politica di sicurezza TransferSecurityPolicy -FIPS-2023-05 sono disponibili solo in alcune regioni. AWS Per ulteriori informazioni, consulta Endpoint e quote AWS Transfer Family nella Riferimenti generali di AWS.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2023-05", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-FIPS-2020-06
I dettagli della certificazione FIPS per sono disponibili all'indirizzo AWS Transfer Family https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search/all
Di seguito viene mostrata la politica di sicurezza TransferSecurityPolicy -FIPS-2020-06.
Nota
L'endpoint del servizio FIPS e la politica di sicurezza TransferSecurityPolicy -FIPS-2020-06 sono disponibili solo in alcune regioni. AWS Per ulteriori informazioni, consulta Endpoint e quote AWS Transfer Family nella Riferimenti generali di AWS.
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-FIPS-2020-06", "SshCiphers": [ "aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "aes256-gcm@openssh.com" ], "SshKexs": [ "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
Politiche di sicurezza post-quantistiche
Questa tabella elenca gli algoritmi per le politiche di sicurezza post-quantistiche di Transfer Family. Queste politiche sono descritte in dettaglio in. Utilizzo dello scambio di chiavi post-quantistiche ibrido con AWS Transfer Family
Gli elenchi delle politiche seguono la tabella.
| Policy di sicurezza | TransferSecurityPolicy-PQ-SSH-Sperimentale-2023-04 | TransferSecurityPolicy-PQ-SSH-FIPS-Sperimentale-2023-04 |
|---|---|---|
|
SSH ciphers |
||
|
aes128-ctr |
|
♦ |
|
aes128-gcm@openssh.com |
♦ |
♦ |
|
aes192-ctr |
♦ |
♦ |
|
aes256-ctr |
♦ |
♦ |
|
aes256-gcm@openssh.com |
♦ |
♦ |
|
KEXs |
||
| ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org |
♦ |
♦ |
| ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org |
♦ |
♦ |
| x25519-kyber-512r3-sha256-d00@amazon.com |
♦ |
|
|
diffie-hellman-group14-sha256 |
♦ | |
|
diffie-hellman-group16-sha512 |
♦ |
♦ |
|
diffie-hellman-group18-sha512 |
♦ |
♦ |
|
ecdh-sha2-nistp384 |
|
♦ |
|
ecdh-sha2-nistp521 |
|
♦ |
|
diffie-hellman-group-exchange-sha256 |
♦ |
♦ |
|
ecdh-sha2-nistp256 |
|
♦ |
|
curve25519-sha256@libssh.org |
♦ |
|
|
curva 25519-sha256 |
♦ |
|
|
MACs |
||
|
hmac-sha2-256-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-256 |
♦ |
♦ |
|
hmac-sha2-512-etm@openssh.com |
♦ |
♦ |
|
hmac-sha2-512 |
♦ |
♦ |
|
TLS ciphers |
||
|
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
♦ |
♦ |
|
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
♦ |
♦ |
TransferSecurityPolicy-PQ-SSH-Sperimentale-2023-04
Di seguito viene illustrata la politica di sicurezza -PQ-SSH-Experimental-2023-04. TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": false, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "x25519-kyber-512r3-sha256-d00@amazon.com", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "curve25519-sha256", "curve25519-sha256@libssh.org", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group-exchange-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04
Di seguito viene illustrata la politica di sicurezza -PQ-SSH-FIPS-Experimental-2023-04. TransferSecurityPolicy
{ "SecurityPolicy": { "Fips": true, "SecurityPolicyName": "TransferSecurityPolicy-PQ-SSH-FIPS-Experimental-2023-04", "SshCiphers": [ "aes256-gcm@openssh.com", "aes128-gcm@openssh.com", "aes256-ctr", "aes192-ctr", "aes128-ctr" ], "SshKexs": [ "ecdh-nistp384-kyber-768r3-sha384-d00@openquantumsafe.org", "ecdh-nistp256-kyber-512r3-sha256-d00@openquantumsafe.org", "ecdh-nistp521-kyber-1024r3-sha512-d00@openquantumsafe.org", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group-exchange-sha256", "diffie-hellman-group16-sha512", "diffie-hellman-group18-sha512", "diffie-hellman-group14-sha256" ], "SshMacs": [ "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512", "hmac-sha2-256" ], "TlsCiphers": [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" ] } }
