Cipher suites are sets of instructions on how to secure a network through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). As such, cipher suites provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP and other network protocols. This information takes the form of algorithms and protocols that help determine how a web server secures a client’s web traffic.
Cipher suites come into play before a client application and server exchange information over an SSL/TLS connection. As noted by JSCAPE, the client application initiates what is known as an SSL handshake. Part of that process involves notifying the server which cipher suites it supports. The server receives that information and compares the cipher suites supported by the client application with the algorithms it supports. If and when it finds a match of supported methods, the server notifies the client application and a secure connection is established. If it doesn’t find a match, the server refuses the connection.
What Makes Up a Cipher Suite?
Per Outspoken Media, there are four components that make up a cipher suite. These are as follows:
What Cipher Suite Looks Like
Put together, here is an example of a cipher suite name: DHE_RSA_AES256_SHA256. This particular cipher suite uses DHE for its key exchange algorithm, RSA as its authentication algorithm, AES256 for its bulk data encryption algorithm, and SHA256 for its Message Authentication Code (MAC) algorithm.
Weaknesses Related to Cipher Suites
Several network-level vulnerabilities have emerged in the past. Among them were SSL/TLS-based vulnerabilities like Heartbleed and POODLE. To mitigate these vulnerabilities, organizations should use different versions of available cipher suites or disable the acceptance of vulnerable suites. For example, to defend against POODLE, SSLv3 needs to be disabled. Disabling cipher suites can sometimes result in compatibility issues, but JSCAPE points out that most of the major web browsers update their cipher suites following the release of an SSL/TLS-based vulnerability anyway. Organizations should therefore advise web users to install the latest software patches in order to avoid compatibility issues.
Going Beyond Cipher Suites
Of course, cipher suites are just one method of security that organizations should employ. Companies also need to make sure they defend the SSL/TLS certificates against digital attackers. To achieve this level of protection, organizations should consider investing in a solution that helps them automatically discover all of their encryption keys and certificates, monitor those assets for signs of misuse, revoke a compromised asset and renew certificates before their expiration period arrives.