Cipher suites are instructions on how to secure a network through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). Cipher suites provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP and other network protocols. This information takes the form of algorithms and protocols that help determine how a web server secures a client’s web traffic. Cipher suites dictate which of these algorithms the server should use to make a secure and reliable connection. Cipher suites don’t just ensure the security, but also the compatibility and performance of HTTPS connections.
How do cipher suites work?
Cipher suites come into play before a client application and server exchange information over an SSL/TLS connection. The client application initiates what is known as an SSL handshake. Part of that process involves notifying the server which cipher suites it supports. The server receives that information and compares the cipher suites supported by the client application with the algorithms it supports. When it finds a match of supported methods, the server notifies the client application, and a secure connection is established. If it doesn’t find a match, the server refuses the connection.
Because your web server will ultimately determine the cipher suite that will be used, it’s important you prioritize the list of cipher suites you list on the server.
4 components of a cipher suite
Key exchange algorithm
For the insurance of data confidentiality during the transmission of data via different secure file transfer protocols like SFTP & HTTPS, the data must be encrypted. This process requires that the two communicating parties have a shared key to both encrypt as well as decrypt the data. This type of encryption scheme is known as symmetric encryption.
Symmetric encryption does have its weaknesses, however. If attackers are able to get the shared key, then they can easily decrypt all the data. As a result, the industry developed key exchange protocols for the secure exchange of symmetric keys over insecure networks. These protocols are known as key exchange algorithms and include RSA, DH, ECDH and ECDHE.
Authentication algorithm
To ensure the correct and secure transfer of data, a web server needs to verify the identity of the user who is receiving the data. Usually, this process involves the user inputting a set of credentials including a username and password. To facilitate this authentication process, cipher suites employ an authentication algorithm such as RSA, DSA and ECDSA.
Bulk data encryption
To ensure the secure transfer of data, cipher suites come with a bulk data encryption algorithm. AES, 3DES and CAMELLA are some of the most common algorithms in this category. As noted by Microsoft, a bulk encryption key is generated by hashing one of the MAC keys using CryptHashSessionKey together with the message contents and other data.
Message Authentication Code (MAC) algorithm
Message Authentication Code (MAC) algorithm is a piece of information that is sent along with the message content for the purpose of authenticating the message. The sender and the receiver share a common key for the MAC algorithm to work. But this method comes with a disadvantage: it can’t protect against the intentional change of authentication codes. In certain cases, an intruder could change the message, then calculate a new checksum and eventually replace the original checksum with a new value. An ordinary cyclic redundancy check (CRC) algorithm can help, but it’s useful for detecting only randomly damaged parts of messages and not intentional changes made by the attacker. Some of the most common examples of this algorithm are SHA and MD5.
What are the weaknesses of cipher suites?
Several network-level vulnerabilities have emerged in the past. Among them were SSL/TLS-based vulnerabilities like Heartbleed and POODLE. To mitigate these vulnerabilities, organizations should use different versions of available cipher suites or disable the acceptance of vulnerable suites. For example, to defend against POODLE, SSLv3 needs to be disabled. Disabling cipher suites can sometimes result in compatibility issues, but JSCAPE points out that most of the major web browsers update their cipher suites following the release of an SSL/TLS-based vulnerability anyway. Organizations should therefore advise web users to install the latest software patches in order to avoid compatibility issues.
Learn more about machine identity security, and how it can benefit your organization!
