Cipher Selection Rules

  • The user can select any number of ciphers (up to 99, if available) using the ANY, TLS12 and TLS13 fields. Although the list can accommodate 99 lines, currently the number of available cipher suites is 35 before filtration and selection. The 35 consist of 2 TLS13, 28 TLS12, and 5 pre-TLS12 (deprecated) cipher suites.
  • To manually select ciphers, all Selection fields (ANY, TLS12 and TLS13) must be blank.
  • If any Selection field is not blank, then the selected ciphers are set and ordered automatically based on the Sorting & Filtering settings.
  • If a larger number is entered in a Selection field than the available cipher suites for that type, then the number will be reduced to the number of filtered and available ciphers of that type. For example: if we have entered 99 in the ANY field but we only have 30 filtered and available ciphers then 99 will be reduced to 30 after pressing the Enter key. Likewise for TLS12 and TLS13.
  • If all the Selection fields have numbers in them, then the list is first populated with the requested number of TLS12 and TLS13 ciphers and then any remaining slots (ANY – (TLS12 + TLS13)) will be populated with any remaining available cipher suites. For example, if the user enters 10 into the ANY field, 5 into the TLS12 field, and 5 into the TLS13 field, and presses Enter, then the TLS12 field will remain at 5 (since there are 5 or more available TLS12 cipher suites), the TLS13 field will be reduced to 2 (since there are only 2 available TLS13 cipher suites) and the ANY field is reduced from 10 to 3 (10 – (5 + 2) = 3). As a result, 10 ciphers suites will be selected: 5 TLS12, 2 TLS13, and 3 any available ciphers.
  • If there are no remaining available cipher suites, then the Any field will be blanked out. For example, if panel P126 enables only TLS13, and in panel P141, 10 is entered in Any, nothing in TLS12 because it is disabled, 2 in TLS13, and P in Cipher Filtering, then when Enter is pressed, the Any field is blanked out because there are no more available ciphers since they were all filtered out.
  • The order of selection and listing depends on the Cipher Sorting field.
  • Already selected ciphers will be available on the panel until new numbers are entered into Selection fields.
Understanding of Cipher Suite strength:
Ciphers are made of some important and unique combination as below:
  • Key exchange algorithms, such as RSA, DH, ECDH, DHE, ECDHE, or PSK
  • Authentication/Digital Signature Algorithm, like RSA, ECDSA, or DSA
  • Bulk encryption algorithms, like AES, CHACHA20, Camellia, or ARIA
  • Message Authentication Code algorithms, such as SHA-256, and POLY1305
  • In Connect:Direct, to distinguish between SSL and TLS cipher, it contains prefix SSL/TLS.
For a better understanding, refer to the division of cipher in Connect:Direct below:
Prefix   Key Exchange  Authentication       Cipher(Algorithm,Strength,Mode)   Hash or Mac        
TLS      ECDHE         RSA_WITH             AES_128_GCM                       SHA256                     

Starting from left to right, TLS is the prefix to identify if cipher is TLS protocol supported or SSL. ECDHE determines that during the handshake the keys will be exchanged via ephemeral Elliptic Curve Diffie Hellman (ECDHE). RSA (Rivest–Shamir–Adleman) algorithm is the authentication algorithm. AES128-GCM is the bulk encryption algorithm: AES running Galois Counter Mode with 128-bit key size. Finally, SHA-256 is the hashing algorithm.

Cipher strength depends on some points:
  • Key exchange – RSA is weaker than Elliptic Curve Diffie Hellman(DH) key exchange.
  • Authentication – RSA is weaker than ECDSA or Elliptic Curve Digital Signature Algorithm.
  • Cipher Algorithm – AES-GCM is a more secure cipher than AES-CBC, because AES-CBC, operates by XOR'ing (exclusive OR) each block with the previous block and cannot be written in parallel. This affects performance due to the complex mathematics involved requiring serial encryption.
  • Hash or Mac – larger hash value is better.
Above all satisfy our combination of cipher sorting according to strength.