Skip to main content
banner image
venafi logo

What Are Cipher Suites?

What Are Cipher Suites?

What are Cipher Suites Venafi
May 21, 2021 | David Bisson

Cipher suites are sets of instructions on how to secure a network through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). As such, cipher suites provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP and other network protocols. This information takes the form of algorithms and protocols that help determine how a web server secures a client’s web traffic. Cipher suites dictate which of these algorithms the server should use to make a secure and reliable connection. But it’s important to remember that cipher suites do not just ensure the security, but also the compatibility and performance of HTTPS connections. So, you should choose yours wisely.

When do you use cipher suites?

Cipher suites come into play before a client application and server exchange information over an SSL/TLS connection. As noted by JSCAPE, the client application initiates what is known as an SSL handshake. Part of that process involves notifying the server which cipher suites it supports. The server receives that information and compares the cipher suites supported by the client application with the algorithms it supports. If and when it finds a match of supported methods, the server notifies the client application and a secure connection is established. If it doesn’t find a match, the server refuses the connection.

Because your web server will ultimately determine the cipher suite that will be used, it’s important that you prioritize the list of cipher suites you list on the server. In the section below, we’ll outline the component algorithms that make up a cipher suite, so you can better understand the function of the ciphers you list on your web server. Your choice will also likely be influenced by your users and the technologies they are using.

What Makes Up a Cipher Suite?

Per Outspoken Media, there are four components that make up a cipher suite. These are as follows:

  1. Key Exchange Algorithm
    For the insurance of data confidentiality during the transmission of data via different secure file transfer protocols like SFTP & HTTPS, the data has to be encrypted. This process requires that the two communicating parties have a shared key to both encrypt as well as decrypt the data. This type of encryption scheme is known as symmetric encryption.

    Symmetric encryption does have its weaknesses, however. If attackers are able to get the shared key, then they can easily decrypt all the data. As a result, the industry developed key exchange protocols for the secure exchange of symmetric keys over insecure networks. These protocols are known as key exchange algorithms and include RSA, DH, ECDH and ECDHE.
  2. Authentication Algorithm
    To ensure the correct and secure transfer of data, a web server needs to verify the identity of the user who is receiving the data. Usually, this process involves the user inputting a set of credentials including a username and password. To facilitate this authentication process, cipher suites employ an authentication algorithm such as RSA, DSA and ECDSA.
  3. Bulk Data Encryption
    To ensure the secure transfer of data, cipher suites come with a bulk data encryption algorithm. AES, 3DES and CAMELLA are some of the most common algorithms in this category. As noted by Microsoft, a bulk encryption key is generated by hashing one of the MAC keys using CryptHashSessionKey together with the message contents and other data.
  4. Message Authentication Code (MAC) Algorithm
    Message Authentication Code (MAC) algorithm is a piece of information that is sent along with the message content for the purpose of authenticating the message. The sender and the receiver share a common key for the MAC algorithm to work. But this method comes with a disadvantage: it can’t protect against the intentional change of authentication codes. In certain cases, an intruder could change the message, then calculate a new checksum and eventually replace the original checksum with a new value. An ordinary cyclic redundancy check (CRC) algorithm can help, but it’s useful for detecting only randomly damaged parts of messages and not intentional changes made by the attacker. Some of the most common examples of this algorithm are SHA and MD5.
What Cipher Suite Looks Like

Put together, here is an example of a cipher suite name: DHE_RSA_AES256_SHA256. This particular cipher suite uses DHE for its key exchange algorithm, RSA as its authentication algorithm, AES256 for its bulk data encryption algorithm, and SHA256 for its Message Authentication Code (MAC) algorithm.

Weaknesses Related to Cipher Suites

Several network-level vulnerabilities have emerged in the past. Among them were SSL/TLS-based vulnerabilities like Heartbleed and POODLE. To mitigate these vulnerabilities, organizations should use different versions of available cipher suites or disable the acceptance of vulnerable suites. For example, to defend against POODLE, SSLv3 needs to be disabled. Disabling cipher suites can sometimes result in compatibility issues, but JSCAPE points out that most of the major web browsers update their cipher suites following the release of an SSL/TLS-based vulnerability anyway. Organizations should therefore advise web users to install the latest software patches in order to avoid compatibility issues.

Going Beyond Cipher Suites

Of course, cipher suites are just one method of security that organizations should employ. Companies also need to make sure they defend the SSL/TLS certificates against digital attackers. To achieve this level of protection, organizations should consider investing in a solution that helps them automatically discover all of their encryption keys and certificates, monitor those assets for signs of misuse, revoke a compromised asset and renew certificates before their expiration period arrives.

Gain complete visibility into your organization’s encryption environment.

Note: This updated post was originally published on March 19, 2019. 

Related posts

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more