TLS & PKI

What is Cipher Suite?

Definition

A cipher suite is a named set of cryptographic algorithms negotiated during a TLS handshake, specifying key exchange, authentication, encryption, and integrity protection for secure communications.

A cipher suite is a combination of cryptographic algorithms that defines how a TLS session secures its data. It typically includes four components: a key exchange algorithm (e.g., ECDHE, RSA), an authentication algorithm (e.g., RSA, ECDSA), a bulk encryption cipher (e.g., AES-256-GCM, ChaCha20-Poly1305), and a message authentication code (MAC) algorithm (e.g., HMAC-SHA384). During the TLS handshake, the client and server negotiate which cipher suite to use from a list of supported suites presented in the ClientHello message.

The negotiation begins with the client sending a list of supported cipher suites. The server selects one based on its own preferences and security policy. The handshake then proceeds using the chosen suite's algorithms to exchange keys, authenticate the server (and optionally the client), encrypt the session data, and verify message integrity. Modern cipher suites prioritize forward secrecy and authenticated encryption, especially in TLS 1.3, which reduced the supported set to five AEAD-only suites.

Cipher suites are identified by IANA-assigned names and numeric codes, conventionally written like TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. Older suites (e.g., TLS_RSA_WITH_AES_128_CBC_SHA) are deprecated due to vulnerabilities like padding oracle attacks. TLS 1.3 simplified the cipher suite concept by removing static RSA and CBC modes, focusing exclusively on AEAD ciphers and requiring forward secrecy. The selection of a cipher suite is critical to the overall security of a TLS connection, as weak or outdated algorithms can expose the session to attack.

Key facts

  • Cipher suites combine key exchange, authentication, encryption, and MAC algorithms.
  • TLS 1.3 reduces cipher suites to five, all using AEAD and forward secrecy.
  • Weak cipher suites like RC4 or DES are deprecated in modern TLS implementations.
  • The server selects the cipher suite during the TLS handshake from the client's list.
  • Cipher suite names follow the pattern TLS_{KX}_{AUTH}_WITH_{ENC}_{MAC}.

How it works in practice

When a web browser connects to https://example.com, it might offer suites like TLS_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. The server, using a certificate signed with RSA, selects TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. The handshake then uses ECDHE for key exchange (providing forward secrecy), RSA for server authentication, AES-256-GCM for encryption, and the MAC is implicit in the AEAD mode. This ensures confidentiality and integrity of all data exchanged.

Related terms

TLS handshake Key exchange Authenticated encryption with associated data (AEAD) Forward secrecy IANA cipher suite registry Public key certificate

References

More in TLS & PKI

ACME Protocol

ACME (Automated Certificate Management Environment) is a protocol that automates the issuance, renewal, and revocation of TLS certificates, defined in RFC 8555.

Certificate Authority

A Certificate Authority (CA) is a trusted entity that issues digital certificates after verifying that the requester controls the domain or identity named in the certificate.

Certificate Chain

A certificate chain is an ordered list of certificates, starting with the server certificate and ending with a root CA, that a client validates to establish trust in the server's identity.

Certificate Pinning

A security technique where an application trusts only a specific, pre-selected certificate or public key for a given server, bypassing the standard chain of trust.

Domain Validation

Domain Validation (DV) is the lowest level of certificate validation used in TLS/SSL, where the certificate authority verifies only that the applicant controls the domain name, typically via an HTTP or DNS challenge.

ECH

Encrypted Client Hello (ECH) is a TLS extension that encrypts the Client Hello message, including the Server Name Indication (SNI), to prevent on-path observers from learning the target hostname during the handshake.

Extended Validation

Extended Validation (EV) is the highest level of TLS certificate assurance, requiring the certificate authority to perform rigorous, human-verified checks on the legal identity and operational existence of the requesting organization before issuance.

HSTS

HTTP Strict Transport Security (HSTS) is a web security policy mechanism that forces browsers to interact with a website only over HTTPS, preventing downgrade attacks and cookie hijacking.

Intermediate Certificate

An intermediate certificate is a subordinate CA certificate signed by a root CA, used to sign end-entity certificates and enable path validation while the root remains offline.

Let's Encrypt

Let's Encrypt is a free, automated, public certificate authority operated by the Internet Security Research Group (ISRG) that issues short-lived Domain Validation (DV) TLS certificates via the ACME protocol.

Who Is Online

In total there are 43 users online: 0 registered, 37 guests and 6 bots.

Most users ever online was 1,226 on 13 Jun 2026, 3:56 am.

Bots: AhrefsBot Applebot Facebook Other Bot Other Crawler YandexBot

Users active in the past 15 minutes. Total registered members: 356