What Is a Cipher Suite?

When your browser connects to a server over TLS, the first thing they need to agree on is: which algorithms are we going to use? There are multiple options for key exchange, authentication, encryption, and hashing. A cipher suite is a specific combination of one algorithm for each job.

Think of it as ordering a combo meal. You pick one drink, one main, one side, and one dessert. A cipher suite picks one key exchange algorithm, one authentication algorithm, one bulk encryption algorithm, and one hash algorithm. The name of the cipher suite tells you exactly what’s in the combo.

The TLS 1.2 Format

In TLS 1.2, a cipher suite name encodes all four choices:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


Breaking it down:

TLS - the protocol
ECDHE - key exchange algorithm (Elliptic Curve
Diffie-Hellman Ephemeral)
RSA - authentication algorithm (server proves
identity with RSA signature)
AES_256_GCM - bulk encryption (AES with 256-bit key
in GCM mode)
SHA384 - hash algorithm (used for the PRF and
Finished message)

Another example:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256


Key exchange: ECDHE
Authentication: ECDSA (server has an ECDSA certificate)
Encryption: ChaCha20-Poly1305
Hash: SHA256

The TLS 1.3 Format
TLS 1.3 simplified cipher suite naming dramatically. Key exchange and
authentication are negotiated separately (through extensions), so the
cipher suite only specifies encryption and hash:
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256

TLS 1.3 has exactly five cipher suites. That’s it. Compare that to
the dozens (sometimes hundreds) of cipher suites in TLS 1.2. Fewer
options means fewer ways to misconfigure things.
How Negotiation Works
During the TLS handshake:

The client sends a list of cipher suites it supports, ordered by
preference
The server picks one from the list that it also supports
If there’s no overlap, the handshake fails

The server can be configured to prefer its own order (server
preference) or respect the client’s order (client preference). Server
preference is recommended because the server administrator can ensure
the strongest cipher suite is chosen.
sequenceDiagram
    participant C as Client
    participant S as Server

    C->>S: ClientHello: I support these cipher suites (in order)
    Note over S: Pick the best one I also support
    S->>C: ServerHello: Let's use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Why It Matters
The cipher suite determines the security of the connection. A weak
cipher suite means weak security, even if everything else is configured
correctly. Choosing the right cipher suites and disabling weak ones is
one of the most important TLS configuration decisions.
In the next few chapters, we’ll look at each component of the cipher
suite in detail: key exchange, authentication, encryption, and hashing.
Then we’ll cover how to choose the right ones.

Next: Key Exchange
and Forward Secrecy
← Previous ChapterNext Chapter →