Overview#
Cipher Suite (Cipher_suites) defines the cryptographic Primitives or algorithms that are utilized in a particular TLS/SSL sessionCipher Suite SSL/TLS #
A SSL/TLS Cipher Suite is a 16-bit symbolic identifier for a set of cryptographic algorithms as listed in the TLS Cipher Suite RegistryFor instance, the TLS_RSA_WITH_AES_128_CBC_SHA Cipher Suite has value 0x002F, and means
- The TLS records use HMAC/SHA-1 and AES encryption with a 128-bit key,
- the key-Exchange is done by encrypting a random key with the server's RSA Public Key"
There are many Known Cipher Suites and for TLS they are all supposedly registered at the TLS Cipher Suite Registry
Cipher suites are written like this:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAwhich roughly breaks down into the following parameters:
- TLS - Could be TLS or SSL
- ECDHE: the Key-Exchange Mechanism.
- RSA: the Authentication mechanism.
- Cipher - the Cipher Algorithm
- SHA: the Message Authentication Code primitive.
- PRF - (not shown) only used in TLS 1.2
Special Cipher Suite:#
There are a couple of Cipher Suite that are special- Anonymous Cipher Suite
- TLS_NULL_WITH_NULL_NULL]
Cipher Suite SSL/TLS #
The order in the ClientHello shows what the client prefers, i.e. the preferred ciphers are on top.The server is still free to ignore this order and pick what it thinks is best.
Often there is a related setting in the TLS configuration of the server, like SSLHonorCipherOrder for apache or ssl_prefer_server_ciphers for NGINX.
Cipher Suite Kerberos Encryption Types#
Kerberos Encryption Types are similar to Cipher Suite used in KerberosWhich Cipher Suites to use#
Generally which Cipher Suites to use depends on a lot of factors and configuration of your Implementation,A good place to start is using one of the Certificate Validation Tools and Mozilla maintains an excellent resource for Server Side TLS Guidelines
More Information#
There might be more information for this subject on one of the following:- AES-GCM
- Algorithm
- Anonymous Cipher Suite
- BEAST
- CALG_RC4
- Change_cipher_spec
- Cipher Suite
- Cipher_suites
- Ciphers-High
- Ciphers-Low
- Ciphers-Medium
- Ciphers-SUITEB128ONLY
- ClientHello
- ClientKeyExchange
- Cryptographic Algorithm
- Cyclic Redundancy Check
- Data Network Cipher
- Deprecating TLSv1.0 and TLSv1.1
- Diffie-Hellman
- Diffie-Hellman Ephemeral
- Elliptic Curve Diffie-Hellman Ephemeral
- FIPS Based Cipher Suites
- How SSL-TLS Works
- Key-Exchange
- Known Cipher Suites
- Logjam
- Lucky 13
- MsDS-SupportedEncryptionTypes
- OpenSSL Commands
- Poodle
- Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)
- Private Communications Technology
- Prohibiting RC4 Cipher Suites
- RFC 4492
- RFC 5489
- RFC-5288
- Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)
- SHA-1
- SSL Handshake Failed
- SUITEB128
- SUITEB192
- ServerCertificate
- ServerHello
- ServerKeyExchange
- TLS 1.2
- TLS 1.3
- TLS 1.3 Cipher Suites
- TLS Cipher Suite Registry
- TLS Session Resumption
- TLS_NULL_WITH_NULL_NULL
- Tomcat And SSL
- [#2] - Server Side TLS Guidelines - based on information obtained 2019-01-28-