Cipher suites are sets of instructions that enable secure network connections through Transport Layer Security (TLS) or Secure Sockets Layer (SSL). As such, cipher suites provide essential information on how to communicate secure data when using HTTPS, SFTP, SMTP and other network protocols.
To be more specific, a cipher suite specifies a set of cryptographic algorithms required to secure communications between clients and servers.
To initiate a TLS session, the two parties - server and client - perform a TLS handshake. During this handshake both parties:
- Acknowledge each other
- Verify each other's identity (in mTLS)
- Set up the parameters for a secure connection. Or, in other words, they negotiate a cipher suite.
It’s important to remember that cipher suites do not just ensure the security, but also the compatibility and performance of HTTPS connections. So, we should choose our cipher suites wisely.
A cipher suite specifies the following components:
- Key Exchange Algorithm: Determines how the initial handshake and key exchange are performed to establish a shared secret between the communicating parties. Examples include RSA, Diffie-Hellman (DH), and Elliptic Curve Diffie-Hellman (ECDH).
- Authentication Algorithm: Used to verify the identity of the communicating parties. Often combined with the key exchange algorithm, common methods include RSA, DSA (Digital Signature Algorithm) and ECDSA (Elliptic Curve Digital Signature Algorithm).
- Bulk Encryption Algorithm: Defines the symmetric encryption method used to encrypt the data transmitted between the parties. Examples include AES (Advanced Encryption Standard), DES (Data Encryption Standard), and ChaCha20.
- A hash or Message Authentication Code (MAC) function: which determines how data integrity checks will be carried out. Examples include HMAC-SHA256 and HMAC-MD5
An example of a cipher suite might be "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," which breaks down as follows:
- TLS_ECDHE_RSA: Uses Elliptic Curve Diffie-Hellman Ephemeral for key exchange and RSA for authentication.
- WITH_AES_256_GCM: Uses AES with a 256-bit key in Galois/Counter Mode for bulk encryption.
- SHA384: Uses SHA-384 for the HMAC algorithm.
Why are cipher suites important?
During the handshake, the client first sends the list of cipher suites it supports and then, the server compares that list with its list to identify which cipher suites are compatible for both. From those that are compatible, the server will choose one cipher suite to be used during the TLS session.
So, the decision on which cipher suite will be used depends on the server. The server will have a priority list, that will determine what's the best one (in terms of performance, security or compatibility).
This priority list is very important for ensuring the security, compatibility, and performance of HTTPS connections. Choosing the correct ciphers to be listed on any server is a vital exercise for any administrator and it is largely determined by the type of users connecting to the server and the technology they are using.