Cryptographic Cipher Suites

An explanation of Cipher Suite Naming

What are Cryptographic Cipher Suites

Cipher suites are a combination of different algorithms the system will use to encrypt the communication. Each operating system/application will have a set of suites it is capable of supporting.

Let’s take a few examples - using the IANA names:

  1. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  2. TLS_RSA_WITH_AES_256_CBC_SHA
  3. TLS_RSA_WITH_NULL_SHA

Each of these suites has a Protocol, a Key Exchange algorithm, a Signature Authentication algorithm, an Encryption algorithm, and a Message Authentication algorithm.

Breaking each of them down they look like this:

  1. Protocol - TLS; Key Exchange - ECDHE; Signature Authentication - ECDSA; Encryption - AES 256 GCM; Message Authentication - SHA384
  2. Protocol - TLS; Key Exchange and Signature Authentication - RSA; Encryption - AES 256 CBC; Message Authentication - SHA
  3. Protocol - TLS; Key Exchange and Signature Authentication - RSA; Encryption - NONE; Message Authentication - SHA

There are different naming schemes for the suite. Windows uses the IANA naming scheme. OpenSSL and GnuTLS use slightly different names. There are also Hex codes used to represent the suites.

At the time of this writing, I’ve found the CipherSuite.info site to be a great resource for looking up the different suites - listing the different names, providing information about the relative strength/weakness of ciphers and being able to look up which suites are affected by different vulnerabilities. Huge shout out the team there.

comments powered by Disqus