What are cipher suites?
Cipher Suites are an important part of the server configuration. They are pre-set combinations of different algorithms used in the encrypted traffic between server and user. The following parts are combined to define a cipher suite:
- The key exchange algorithm, which controls whether and how authentication occurs during the handshake
- The bulk encryption algorithm, which determines how traffic is encrypted
- The Message Authentication Code Algorithm, also known as MAC, which decides how each block of traffic is hashed into a cryptographically encrypted message
- The PRF or Pseudo-Random Function, a so-called salt function that serves as the cryptographic secret key with which the MAC can encrypt and decrypt blocks of traffic.
Each separate connection between the server and the user of a website is preceded by a handshake. During this handshake, the user tries to contact the server using a ClientHello and a ServerHello, and allows the exchange of information about the cipher suites that the client and the server are familiar with. The server uses this list of cipher suites to find the most suitable cipher suite, and uses the protocols contained in it to encrypt all further communications between the server and the client.
How a cipher suite is constructed is the most important factor for a server in deciding which cipher suite to use. While the personal preference of the owner of the server plays a large role in which cipher suites are installed on a server, cipher suites using ECDHE are preferred over all others. This protocol uses the almost unbreakable ECC algorithm.
Other than that, the type of cryptographic protocol used plays a large part. Nowadays, TLS 1.3 is the norm. Its predecessors, SSL 2.0 and 3.0, are seen as unsafe due to their weaknesses that allowed Man in the Middle attacks to succeed. For example, the handshake in SSL 2.0 was unsecure, allowing a hacker to force the use of a weaker cipher suite.
The administrator of a website can enforce the use of the best possible cipher suites by regularly updating the software and using proper configuration. A webserver uses webserver software, such as Apache or NginX, which in turn use software known as libraries, such as OpenSSL. This contains all known cipher suites. It is therefore important to keep this library up to date, because a cipher suite must be saved in the library if the server software wants to be able to use it.
Frequently asked questions
About SSL certificates
- What is a common name?
- What is a private key and what is a public key?
- What is a wildcard certificate?
- What is an intermediate certificate?
- What is a root certificate?
- What is SNI and when do I need it?
- What are cipher suites?
- What is HTTP Strict Transport Security (HSTS)?
- What is OCSP?
- How does file approver work?