When we talk about a secure connection handshake between a client host and server there are several things which happens before establishing a secure connection. As part of the handshake process, when the client initiates a connection along with the "Hello Message" it sends a list of Cipher Suites which the client host can support. In this article lets understand what a TLS Cipher Suite is and what it offers and does.
A cipher suite is a set of algorithms that help secure a network connection that uses Transport Layer Security (TLS). In short it lays the foundation for the secure connection between 2 systems. The set of algorithms that cipher suites usually contain include,
- Key Exchange Algorithm,
- Bulk Encryption Algorithm,
- Authentication Algorithm and
- Message Authentication Code (MAC) Algorithm
Let us see the above in detail,
Protocol - TLS1.2, TLS 1.1, 1.0, SSL V3, SSL V2
Key Exchange Algorithm
It is used to exchange a key between two systems which will then be used to encrypt and decrypt the messages being sent between two machines. Popular Key Exchange algorithms are,
- ECDH (Elliptic Curve Diffie-Helman)
Bulk Encryption Algorithm / Ciphers
It is used to encrypt the data being sent. Few mostly used ones are,
- AES (Advanced Encryption Standard)
- Triple DES
- DES (Data Encryption Standard)
It is to help authenticate the server and or client. Below are the authentication algorithms,
- RSA (Rivest-Shamir-Adleman)
- DSA (Digital Signature Algorithm)
Message Authentication Code (MAC) Algorithm
It provides data integrity checks to ensure that the data sent does not change in transit.
- SHA (Secure HASH Algorithm)
- MD5 (Message Digest Algorithm)
Let us now try to understand a Sample Cipher Suite "TLS-ECDHE-RSA-AES128-GCM-SHA256"
Protocol - TLS
Key Exchange - ECDHE (Elliptic Curve Diffie-Helman Ephemeral)
Authentication - RSA
Cipher - AES128_GCM (Advanced Encryption Standard) with 128 bits and Galois/Counter block cipher mode (to provide information security) of operation
MAC - SHA256
As we know, in a TLS session there are 2 parts which are as mentioned below.
Asymmetric Cryptography - exchange of public keys between two systems
Symmetric Cryptography - use of same key to encrypt plain text and decrypt the cipher text
- ECDHE (Elliptic Curve Diffie-Helman Ephemeral) denotes the asymmetric portion of the TLS session
- The RSA portion denotes the signing algorithm used to authenticate the key exchange and this is also performed using asymmetric cryptography.
- In the handshake process, we know that the client host generates the pre-master secret and share it with the server host.
- This pre-master secret to generate the symmetric key to be used for data encryption/decryption is encrypted using the asymmetric key and sent to server who then decrypts it to get the symmetric key.
- Asymmetric key is very slow and we don't want to have them used for data encryption. Hence the reason, exchange of symmetric key process described above happens. This process of using the same key is called Symmetric Cryptography.
- Above said process is based on the cipher where it is denoted as "AES128_GCM"
- AES is the symmetric algorithm
- 128 refers to the key size
- GCM refers to the block cipher mode of operation
- The encryption mode of operation provides the integrity for the data getting encrypted however one need to ensure the public key handshake itself is also not tampered. This is where the Hash function negotiated in cipher (MAC) - "SHA256" is being used. Every single piece of handshake is hashed, and the final hash is transmitted to the server host along with the encrypted pre-master secret. Then the server verifies this hash to ensure all data that was meant to send was received.
This is how the pieces are put together to enable secure mode of communication based on the agreed CIPHER SUITE