Cipher suite


Cipher suite

A cipher suite is a named combination of authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) network protocol.

The structure and use of the cipher suite concept is defined in the documents that define the protocol (RFC 5246 standard for TLS version 1.2). A reference for named cipher suites is provided in RFC 2434, the TLS Cipher Suite Registry.

Contents

Use

When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message is passed. (RFC 5246, p. 37) First, the client sends a cipher suite list, a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client cipher suite list. (RFC 5246, p. 40) In order to test which TLS ciphers that a server supports an SSL/TLS Scanner may be used.

Detailed description

Each named cipher suite defines a key exchange algorithm, a bulk encryption algorithm, a message authentication code (MAC) algorithm, and a pseudorandom function (PRF). (RFC 5246, p. 40)

  • The key exchange algorithm is used to determine if and how the client and server will authenticate during the handshake. (RFC 5246, p. 47).
  • The bulk encryption algorithm is used to encrypt the message stream. It also includes the key size and the lengths of explicit and implicit initialization vectors (cryptographic nonces). (RFC 5246, p. 17)
  • The message authentication code (MAC) algorithm is used to create the message digest, a cryptographic hash of each block of the message stream. (RFC 5246, p. 17)
  • The pseudorandom function (PRF) is used to create the master secret, a 48-byte secret shared between the two peers in the connection. The master secret is used as a source of entropy when creating session keys, such as the one used to create the MAC. (RFC 5246, p. 16-17, 26)

[1][2]

Examples of algorithms used

key exchange
RSA, Diffie-Hellman, ECDH, SRP, PSK
authentication
RSA, DSA, ECDSA
bulk ciphers
RC4, Triple DES, AES, IDEA, DES, or Camellia. In older versions of SSL, RC2 was also used.
message authentication
for TLS, a Hash-based Message Authentication Code using MD5 or one of the SHA hash functions is used. For SSL, SHA, MD5, MD4, and MD2 are used.

Programming references

Programatically, a cipher suite is referred to as:

CipherSuite cipher_suites
a list of the cryptographic options supported by the client (RFC 5246, p. 41)
CipherSuite cipher_suite
the cipher suite selected by the server and revealed in the ServerHello message (RFC 5246, p. 42-43, 64)

References

RFC 5246 standard for TLS version 1.2
TLS Cipher Suite Registry at IANA

Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Cipher Suite — Eine Cipher Suite (frei übersetzbar als „Chiffrensammlung“) ist eine standardisierte Sammlung kryptographischer Algorithmen. Ein Beispiel dafür ist die NSA Suite B Cryptography, die Algorithmen festlegt, die für die Arbeit im Regierungsumfeld… …   Deutsch Wikipedia

  • Cipher Pol — (サイファーポール, Saifā Pōru?) est un organisme de fiction du manga One Piece. Le terme vient de cipher, qui signifie chiffre et de pol, qui est une abréviation de police. Cipher Pol est une branche du gouvernement chargée de l espionnage et des… …   Wikipédia en Français

  • Cipher Block Chaining — Mode d opération (cryptographie) En cryptographie, un mode d opération est la manière de traiter les blocs de texte clairs et chiffrés au sein d un algorithme de chiffrement par bloc. Chacun des modes possède ses propres atouts. Plusieurs modes… …   Wikipédia en Français

  • NSA Suite B Cryptography — Suite B is a set of cryptographic algorithms promulgated by the National Security Agency as part of its Cryptographic Modernization Program. It is to serve as an interoperable cryptographic base for both unclassified information and most… …   Wikipedia

  • Skipjack (cipher) — Infobox block cipher name = Skipjack designers = NSA publish date = 1998 (declassifed) key size = 80 bits block size = 64 bits structure = unbalanced Feistel network rounds = 32 cryptanalysis = 31 rounds are susceptible to impossible differential …   Wikipedia

  • Orchestral Suite No. 2 (Tchaikovsky) — Pyotr Ilyich Tchaikovsky composed his Orchestral Suite No. 2 in C major, Op. 53, in 1883. It was premiered on February 16, 1884 at a Russian Musical Society concert in Moscow, conducted by Max Erdmannsdörfer. The piece was well enough received to …   Wikipedia

  • Transport Layer Security — (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e mail, Internet faxing, instant messaging and other data transfers. There are… …   Wikipedia

  • SSL-Verschlüsselung — In diesem Artikel oder Abschnitt fehlen folgende wichtige Informationen: Informationen über SSL Change Cipherspec. Protocol, SSL Alert Protocol, SSL Application Data Protocol Du kannst Wikipedia helfen, indem du sie recherchierst und einfügst …   Deutsch Wikipedia

  • Secure Server Line — In diesem Artikel oder Abschnitt fehlen folgende wichtige Informationen: Informationen über SSL Change Cipherspec. Protocol, SSL Alert Protocol, SSL Application Data Protocol Du kannst Wikipedia helfen, indem du sie recherchierst und einfügst …   Deutsch Wikipedia

  • Secure Sockets Layer — In diesem Artikel oder Abschnitt fehlen folgende wichtige Informationen: Informationen über SSL Change Cipherspec. Protocol, SSL Alert Protocol, SSL Application Data Protocol Du kannst Wikipedia helfen, indem du sie recherchierst und einfügst …   Deutsch Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.