DEV Community

Jessica howe
Jessica howe

Posted on

A Complete Guide to SSL Cipher Suites

#web #security #programming #webdev

Everything you need to know about SSL Cipher Suites: From beginner to expert level

Being a website administrator requires one to be aware of current trends and technologies in cyber security. However, if you are not already familiar with certain concepts, the endless barrage of information online can get overwhelming. Such a situation can make it hard for you to choose which encryption technique is best suited to protect your website.

Ciphers, sometimes misspelled as cyphers, are an integral part of cryptography. They have been used since approximately 400 BCE and seem to have been invented by the ancient Greeks for encrypting military messages. Before we move forward with how this cipher or any of the modern ciphers work, let’s go over what ciphers are.

Ciphers: Definition and Overview

Ciphers are cryptographic algorithms that can encrypt and decrypt information. Encryption refers to the act of converting readable information (“plaintext”) into unreadable or gibberish data (“ciphertext”). Decryption simply reverses the processes by converting ciphertext back into plaintext. Most modern ciphers use an encryption key to encrypt and decrypt data.

Older ciphers like Caesar’s cipher operated with a much simpler logic. In this particular cipher, every plaintext alphabet was shifted by a certain number to the right to convert it into ciphertext. Mathematically, this function is called the modulus, and the number by which the alphabets are shifted is called the key.

For example, if you were to run Caesar’s cipher on the following text with the key 4:

  • Apple
  • It would become:
  • ETTPI

How Many Kinds of Ciphers Are There?

Ciphers can be divided into various categories based on their encryption mechanism and how they use it. The most common types of ciphers are:

1. Substitution Ciphers:

Substitution ciphers work by replacing characters in the plaintext with other characters for the generation of ciphertext. The above-mentioned Caesar’s cipher is an example of substitution ciphers.

2. Transposition Ciphers

Transposition ciphers can be considered the opposite of substitution ciphers. Instead of replacing plaintext characters with alternates, they simply rearrange their positions.

3. Polygraphic Ciphers

Polygraphic ciphers are an advanced kind of substitution ciphers that substitute groups of letters instead of single characters. This is done to make it harder for attackers to guess the key via the frequency distribution of letters.

4. Permutation Ciphers

Permutation ciphers choose a random arrangement of the given plaintext characters. A permutation is a mathematical function that calculates all possible ways in which things can be arranged.

5. Private-Key Ciphers

Private-Key ciphers were common among the earliest client-server network systems, and in this cipher, the sender and receiver both share a secret key beforehand. This key can then be used to encrypt and decrypt information. However, if the attackers got a hold of the private key, they could easily access privileged information.

6. Public-Key Ciphers

Public-Key ciphers are a modern iteration of private-key ciphers and are more secure. In this case, the sender and receiver have two separate keys – a public key and a private key. The sender uses the public key to encrypt the message, and the private key is never really shared across the web or with the receiver, which keeps it secure.

What is a Cipher Suite?

A cipher suite is simply the set of algorithms that can be utilized to secure connections across a network. These are used most commonly with the SSL or TLS protocols and are an integral part of the famous HTTPS connections.

What is SSL Cipher Suite?

An SSL Cipher Suite functions across the SSL protocol. The SSL or Secured Socket Layer protocol ensures authenticity between client and server systems in a process known as the SSL handshake. The handshake process decides the cipher suite to be used during the communication between the systems, and keys are exchanged.

The process is exceptionally effective against man-in-the-middle attacks that have been known for compromising connections for decades. The thing worth noting as a website administrator is that the server is the one that decides the cipher suite during the handshake. Therefore, it is essential that you understand the right cipher suite to get the job done for your website. It is also a good idea to consider the devices your target users use while choosing the suite.

If you’re wondering what an SSL Cipher looks like, here’s an example:

example of ssl cipher suites

Get to Know the Four Components of SSL Cipher Suites in Detail
SSL Cipher Suites have four key components that are used to establish a secure connection between the client and the server systems. These are:

1. Key Exchange Algorithm

The key exchange is a symmetric encryption algorithm, which may seem counterproductive since SSL uses asymmetric encryption. However, the key exchange algorithm is only run after the initiation of the handshake and the authentication of both systems via asymmetric encryption.

Therefore, the key exchange algorithm functions as an additional layer of security and doesn’t have to be an asymmetric algorithm. Some common examples of key exchange algorithms are RSA, DH, and ECDH. In fact, RSA is the algorithm used for encrypting most banking-related communications, and it cannot be cracked without the aid of a Quantum Computer capable of running Shor’s Algorithm.

2. Bulk Encryption Algorithm

The Bulk Encryption Algorithm is in charge of encrypting all the data that is transferred. For this, the above-mentioned algorithms cannot be used for the sake of preserving time. Therefore, algorithms such as 3DES or AES are used thanks to their speed in encrypting and decrypting large volumes of information.

3. Authentication Algorithm

The Authentication Algorithm is used by the client to authenticate the server’s identity. This is an extra precaution to prevent man-in-the-middle-attacks that take place on public networks. The most common algorithms used for this purpose are RSA and DSA.

4. Hashing Algorithm

Hashing Algorithms are used for an advanced form of cryptography known as hashing. In this process, the data is converted into a hash value of a certain length, and it must be an exact value. This is used to ensure that the integrity of the data is preserved over the network.

In case the data has been tampered with, its hash value would be entirely different than the original hash value. Therefore, this would alert the systems of any malpractices taking place with the data.

What is a TSL Cipher Suite, and How is it Different from an SSL Cipher Suite?

The TSL or Transport Layer Security protocol is an advanced version of the SSL protocol. Its functioning is similar when it comes to using Cipher Suites; however, it is more secure.

Seeing that the TSL Cipher Suite is a more recent iteration of the SSL Cipher Suite, it is a lot more likely that you will be working with the TSL variation. However, before you get to choose the right cipher suite for your website, let’s take a look at some of the most recommended ones:

Types of Cipher Suites

While talking about the various available cipher suites, we are going to skip over the cipher suites that exist for TSL protocol iterations earlier than TLS 1.2. This is because the previous iterations have been deprecated and have been replaced by newer versions.

Here Are the TLS 1.2 Ciphers That Cybersecurity Professionals Recommend

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

While the above cipher suites are in use across the industry and have been recommended by experts, they can still have certain vulnerabilities. As exploits get discovered, the respective suites are deprecated. As such, we recommend sticking to the cipher suites that come with TLS 1.3 since it is the latest iteration of the protocol, and its exploits would likely be harder to find.

  • TLS 1.3 Cipher Suites
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256

Final Thoughts on SSL Cipher Suites

SSL Cipher Suites, or most recently TSL Cipher Suites, are the first line of defense web serves have to protect the data of their users. These encrypt the information being communicated between the client and the server and preserve the integrity of the data. In order to correctly preserve the security of data, choosing a cipher suite compatible with the most recent iteration of the TSL protocol is crucial.

Top comments (0)

Read next

muzammil-cyber profile image

React.js vs. React Native: Similarities and Differences

Muhammad Muzammil Loya -

devsmitra profile image

JavaScript Proposal: Signals API

Rahul Sharma -

eevajonnapanula profile image

Toggle Labels With Icons - Personalizing Accessibility

Eevis -

sotergreco profile image

Improve your productivity by using more terminal and less mouse (🚀).

Sotiris Kourouklis -