Everything You Need to Know About an SSL Cipher and Cipher Lists

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

What is an SSL Cipher Suite? What’s included on the SSL cipher suite list? We’ve got your answers

If the term “SSL cipher” or “SSL cipher suite” reminds you of a character named “Cypher” in the movie “The Matrix,” then you must also be a serious Matrix fan! Well, as much as we’d love to discuss the film more in depth, we cannot (you can understand why). That’s why, in this post, we’re going to limit our focus to , and how they’re used in modern day cryptography and SSL/TLS security. After all, that’s what you’re here to learn about, right?

What is an SSL Cipher Suite?

An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that helps to establish a secure connection between two entities — usually the client (a user’s browser) and the web server they’re connecting to (your website). In other words, SSL cipher suites determine the method through which a secure connection will take place between both entities. This communication could be taking place through HTTPS, FTPS, SMTP, or other network protocols.

Ultimately, the goal is to prevent cybercriminals and man-in-the-middle (MitM) attackers from being able to read your information by converting it into unintelligible cipher text.

Today, the term “cipher suite” might be used in the context of networks and data security, but the first cipher suite dates back to the time of the ancient Egyptians — around 1900 BC. One of the oldest (and simplest) ciphers is known as the Caesar cipher, which is named after Julius Caesar, the Roman politician and military leader who developed it. Let’s take a moment to explore this cipher before we dig deeper into modern SSL/TLS ciphers to give you a better understanding of how ciphers have evolved over the past two millennia.

Purchase an SSL Certificate & Save Up to 86%!

We offer the best discount on all types of SSL Certificates — DV, OV, and EV! We offer certificates from the leading CAs, including Comodo CA, Sectigo, Thawte, GeoTrust, and RapidSSL with DV certificates starting as low as $5.45 per year.

Shop Now

Caesar’s Cipher: One of the Earliest Used Ciphers

Caesar’s cipher was used to protect the confidential information he sent and received through couriers. The Caesar cipher, also known as a shift cipher, converts information into an encrypted, unreadable format (known as a cipher). This prevents enemies from deciphering the sensitive information — even if they somehow get their hands on the message.

The first condition of sending encrypted messages is that both parties have the key to the cipher. In Caesar’s cipher, this condition is satisfied because the sender and receiver both will know the logic of the cipher. The way Caesar’s cipher works is quite simple. It simply shifts an alphabet by a particular number (known as a modulus, or “mod” for short). If you decide to move places by 1, then A would become B, B would become C, and so on.

Mathematically, Caesar’s cipher encrypts the data using the below equation:

E(x) = (x + k) (mod 26)

And it’s decrypted using the below equation.

E(x) = (x – k) (mod 26)

Quite simple, isn’t it?

What Does an SSL/TLS Cipher Suite Consist of?

Modern day SSL/TLS cipher suites work the same way as Caesar’s cipher in the sense that they rely on mathematics. However, the maths involved in the modern ciphers is significantly more complex than the calculations involved in a simple shift cipher. Supercomputers, let alone humans, can’t crack some of the ciphers that are being used today. Quantum computers may change that in the future — but that’s a problem for another day.

How an SSL Cipher Works in the SSL/TLS Handshake Process

Creating a secure, encrypted connection via the SSL/TLS protocol is a fairly complex process that has many layers to it. In technical terms, it’s regarded as an “SSL/TLS handshake.” This handshake involves many steps for authentication and encryption of the messages. This includes key exchange, identity verification, data encryption, etc.

To negotiate a secure communication, the client and the server need to come on terms with four crucial elements:

  1. Key exchange algorithm
  2. Bulk encryption algorithm
  3. Data encryption algorithm
  4. Hash function.

Let’s explore these four elements in more detail.

Key Exchange Algorithm:

Although SSL/TLS uses asymmetric encryption for authentication, the actual data encryption is done using symmetric encryption. This means that symmetric cryptographic session keys, which are generated and kept by the server and client, encrypt and decrypt information. This, of course, occurs after the initial authentication process is completed using asymmetric public and private keys.

To protect this session key against ill-intended parties, secure algorithms need to be in place during the key exchange. A key exchange algorithm is a very crucial element of a cipher suite. RSA (Rivest–Shamir–Adleman), DH (Diffie-Hellman), ECDH (Elliptic-curve Diffie-Hellman), and ECDHE (Elliptic-curve Diffie-Hellman Ephemeral) are some of the most widely used key exchange algorithms.

Bulk Encryption Algorithm

Once the secure key exchange between the client and the server is complete, it’s time for actual data encryption. A faster algorithm needs to be in place as the size of the data quite large in nature. AES (Advanced Encryption Standard), 3DES (Triple Data Encryption Standard), and Camellia are some of the most common algorithms in this category. However, it’s important to note that Camellia, though originally considered an optional TLS 1.2 cipher suite, was eliminated from the list with the release of TLS 1.3.

Digital Signature/Authentication Algorithm

While authenticating the identity of the server, the client needs to validate the legitimacy of the server to make sure that it’s communicating with the right party. RSA and DSA (digital signing algorithm) are the most widely adopted digital signature/authentication algorithms.

Hashing Algorithm

To protect the integrity of the message, data is converted into a hash value of a particular length. This process, known as “hashing,” is considered a one-way function in cryptography. Even the smallest of change in the data will result in a totally different hash. Such hashing is a very fundamental part of the SSL/TLS data transmission, and it’s done using a hashing algorithm. SHA-2 is the most widely used hashing algorithm is use today.

How Does an SSL Cipher Suite Look?

If you’ve ever wondered what a cipher suite looks like, well, it’s your lucky day! This is an example of a cipher suite:

DHE_RSA_AES256_SHA256

If you’re like most people, it looks like a random string of numbers and letters. But what does each of these components represent? Let’s take a look:

  • DHE: The first part is the key exchange algorithm.
  • RSA: The second section is the authentication algorithm.
  • AES256: The third section is the type of encryption algorithm used.
  • SHA256: The fourth component is the type of hashing algorithm used.

List of Recommended TLS 1.2 Cipher Suites

TLS 1.2, the most extensively used version of TLS in the world, has 37 ciphers in total. However, not all of them are safe enough to use. Here’s a list of TLS 1.2 ciphers that are secure enough to use:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

TLS 1.3 Cipher Suites

TLS 1.3, an upgraded version of TLS 1.2, brings a host of changes, including changes to the list of cipher suites. One of the most significant downsides of TLS 1.2 was the time it took to process the SSL/TLS handshake. The biggest culprit behind this was the RSA algorithm, which uses large cryptographic keys to encrypt and decrypt the data. This resulted in increased computational overhead and latency.

TLS 1.3 fixes this problem by removing the RSA algorithm entirely. Therefore, it practically eliminates the first half of the SSL cipher suite.

Here’s what it looks like:

TLS_AES_256_GCM_SHA384

Essentially, this SSL cipher suite now includes only two elements: an encryption algorithm and a hashing algorithm. The key exchange takes place through the Diffie-Hellman algorithm, as RSA is eliminated entirely. Another factor that makes TLS 1.3 ciphers superior to their predecessors is their use of AEAD (authenticated encryption with associated data) as an encryption algorithm. This algorithm hashes a message authentication code (MAC) alongside the encryption process (MAC-and-Encrypt).

List of Recommended TLS 1.3 Cipher Suites

The SSL cipher suite list has reduced dramatically from TLS 1.2 to TLS 1.3. Now, there are just five SSL cipher suites that are recommended:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256

Final Word

If you’re a website owner or administrator, you must make sure that your web server is compatible with TLS 1.2 as a minimum (ideally, TLS 1.3). This will help you to ensure that the transactions that occur on your website take place through secure, encrypted channels using SSL cipher suites.

If you’re running your server on older versions, you could be in colossal trouble even if you have an SSL/TLS certificate with the latest updates. And if you’re an ordinary website user, you must keep your web browser updated to ensure that you’re using the most current and secure SSL cipher suites from the list.