Skip to content

Cipher suite

A Cipher suite is a named combination of cryptographic algorithms used by network protocols like [[SSL]] and [[TLS]] to secure network connections^[openssl.md]. It acts as a complete set of instructions that dictates how a secure communication channel is established between a client and a server^[openssl.md].

Composition

A cipher suite typically defines the following four components^[openssl.md]:

  • Key Exchange Algorithm: The method used to exchange a shared secret between the client and server (e.g., RSA, [[Diffie-Hellman|ECDHE]], DHE).
  • Authentication Algorithm: The method used to verify the identity of the parties (often combined with key exchange, such as RSA or ECDSA).
  • Bulk Encryption Cipher: The symmetric algorithm used to encrypt the actual data stream (e.g., AES, Chacha20).
  • Message Authentication Code (MAC): The hash algorithm used to ensure message integrity (e.g., SHA-256, Poly1305).

For example, the suite ECDHE-ECDSA-AES128-GCM-SHA256 specifies Elliptic Curve Diffie-Hellman Ephemeral for key exchange, ECDSA for authentication, AES-GCM for encryption, and SHA-256 for integrity^[openssl.md].

Supported Algorithms

Common algorithms found in cipher suites include various categories supported by cryptographic libraries like OpenSSL^[openssl.md]:

  • Encryption: AES, Blowfish, Camellia, Chacha20, Poly1305, SEED, CAST-128, DES, IDEA, RC2, RC4, TDES.
  • Hashing: MD5, SHA-1, SHA-2, SHA-3, RIPEMD-160, BLAKE2, Whirlpool.
  • Public Key: RSA, DSA, ECDSA, Ed25519, X25519.

Configuration and Analysis

In secure environments, servers and clients negotiate which specific cipher suite to use during the "handshake" phase of the connection^[openssl.md]. Tools like OpenSSL and cURL can be used to inspect or manually enforce specific cipher suites for testing and debugging^[openssl.md].

Sources

^[openssl.md]