Open main menu

Wikipedia β

A cipher suite is a named combination of authentication and encryption algorithms used to negotiate the security settings for a network connection that uses the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocols. In TLS/SSL versions up to TLS 1.2, a cipher suite is a combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms. In the draft TLS 1.3 document, cipher suites are only used to negotiate encryption and hash-based message authentication code (HMAC) algorithms.[1]

The structure and use of the cipher suite concept is defined in the documents that define the protocol.[2] A reference for named cipher suites is provided in the TLS Cipher Suite Registry.[3]



When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message are passed.[4] First, the client sends a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client's list.[5] To test which TLS ciphers a server supports, an SSL/TLS Scanner may be used.

Detailed descriptionEdit

In TLS 1.0 - 1.2Edit

Each named cipher suite, e.g. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, defines a key exchange algorithm, a bulk encryption algorithm, a message authentication code (MAC) algorithm, and a pseudorandom function (PRF).[5][6][7]

  • The key exchange algorithm, e.g. ECDHE_RSA, is used to determine if and how the client and server will authenticate during the handshake.[8]
  • The bulk encryption algorithm, e.g. AES_128_GCM, is used to encrypt the message stream. It also includes the key size and the lengths of explicit and implicit initialization vectors (cryptographic nonces).[9]
  • The message authentication code algorithm, e.g. SHA256, is used to create the message digest, a cryptographic hash of each block of the message stream.[9]
  • The pseudorandom function, e.g. TLS 1.2's PRF using the MAC algorithm's hash function, is used to create the master secret, a 48-byte secret shared between the two peers in the connection. The master secret is used as a source of entropy when creating session keys, such as the one used to create the MAC.[10]

Examples of algorithms usedEdit

Key exchange/agreement
RSA, Diffie–Hellman, ECDH, SRP, PSK
Block ciphers
RC4, Triple DES, AES, IDEA, DES, or Camellia. In older versions of SSL, RC2 was also used.
Message authentication
For TLS, a hash-based message authentication code using MD5 or one of the SHA hash functions is used. For SSL, SHA, MD5, MD4, and MD2 are used.

In TLS 1.3 (draft)Edit

In TLS 1.3, a cipher suite represents an Authenticated Encryption with Associated Data (AEAD) encryption algorithm and a hash algorithm used in HMAC-based key derivation function (HKDF).[1] For example, TLS_AES_128_GCM_SHA256 indicates AES_128_GCM is used to encrypt messages, and SHA256 is the underlying hash algorithm in HKDF. Non-AEAD encryption algorithms (such as AES_128_CBC) are not allowed to be used.

Since the structure of TLS 1.3 cipher suites is different from that in previous versions, cipher suites defined for TLS 1.3 cannot be used in TLS 1.2, and vice versa.

Key exchange algorithms are negotiated using TLS extensions.

Programming referencesEdit

Programatically, a cipher suite is referred to as:

CipherSuite cipher_suites
a list of the cryptographic options supported by the client[11]
CipherSuite cipher_suite
the cipher suite selected by the server from the client's cipher_suites and revealed in the ServerHello message[12]


  1. ^ a b E. Rescorla (November 4, 2016). "The Transport Layer Security (TLS) Protocol Version 1.3". Retrieved 2016-11-11. 
  2. ^ RFC 5246
  3. ^ TLS Cipher Suite Registry
  4. ^ RFC 5246, p. 37
  5. ^ a b RFC 5246, p. 40
  6. ^ "TLS CipherSuites and CipherSpecs". IBM. Retrieved 16 May 2017. 
  7. ^ "Cipher Suites in Schannel". Microsoft MSDN. Retrieved 20 November 2009. 
  8. ^ RFC 5246, p. 47
  9. ^ a b RFC 5246, p. 17
  10. ^ RFC 5246, p. 16-17, 26
  11. ^ RFC 5246, p. 41
  12. ^ RFC 5246, p. 42-43, 64