What are Cipher Suites?
Cipher suites are sets of instructions that enable secure network connections through Transport Layer Security (TLS), often still referred to as Secure Sockets Layer (SSL). These cipher suites provide a set of algorithms and protocols that are required to secure communications between clients and servers. To initiate an HTTPS connection, the two parties, the web server and the client, perform an SSL handshake. During the handshake process, the two parties agree on a mutual cipher suite, and that cipher suite is then used to negotiate a secure HTTPS connection. The handshake process involves the two parties using1:
Key exchange algorithms. Key exchange algorithms determines how symmetric keys will be exchanged. Examples of key exchange algorithms include RSA, DH, ECDH, DHE, ECDHE, and PSK.
Authentication or digital signature algorithm. Authentication or digital signature algorithm dictate how server authentication and client authentication (if required) will be implemented. Examples of authentication or digital signature algorithms include RSA, ECDSA, and DSA.
Bulk encryption cipher. Bulk encryption ciphers are used to encrypt the data. Examples of bulk encryption ciphers include AES, CHACHA20, Camellia, and ARIA.
Hash/MAC function. Hash/MAC functions determine how data integrity checks will be carried out. Examples of hash/MAC functions include SHA-256, and POLY1305.
Cipher suites are important for ensuring the security, compatibility, and performance of HTTPS connections. Cipher suites are required due to the variety of servers, operating systems, and browsers that may be used. Cipher suites make it possible to accommodate all combinations of these elements, ensuring their compatibility. Since it is the web server that finally determines which cipher suite will be used, it is important that a prioritized list of cipher suites be listed on the web server. Typically, it is the administrator’s responsibility to choose the correct ciphers to be listed on any web server. This is largely determined by the type of users connecting to the server and the technology they are using.
Mozilla recommends configurations of cipher suites for servers using TLS, based on the audience2:
Modern. Modern clients that support TLS 1.3, with no need for backwards compatibility
Intermediate. Recommended configuration for a general-purpose server.
Old. Services accessed by very old clients or libraries, such as Internet Explorer 8 (Windows XP), Java 6, or OpenSSL 0.9.8.
Users are also responsible for ensuring secure connections. As browser vendors update their list of supported cipher suites after a vulnerability is discovered, users must install the latest browser patches to reduce the likelihood of encountering compatibility issues when weak cipher suites are deprecated on the server side.
1 Sung, 2020, “An Introduction to Cipher Suites”
2 Mozilla, 2023, “Security/Server Side TLS”