Cipher Suites Overview
A cipher suite is a named combination of key- exchange authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) network protocol.
The structure and use of the cipher suite concept is defined in the documents that define the protocol (RFC 5246 standard for TLS version 1.2). A reference for named cipher suites is provided in RFC 2434, the TLS Cipher Suite Registry.
When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message is passed. (RFC 5246, p. 37) First, the client sends a cipher suite list, a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client cipher suite list. (RFC 5246, p. 40) To test which TLS ciphers that a server supports an SSL/TLS Scanner may be used.
Each named cipher suite defines a key exchange algorithm, an authentication method, a bulk encryption algorithm, a message authentication code (MAC) algorithm, and a pseudo-random function (PRF). (RFC 5246, p. 40)
The key exchange algorithm is used to determine how the symmetric key used for bulk encryption is generated and shared between client and server.
The authentication method determines if and how the client and server authenticate during the handshake. (RFC 5246, p. 47).
The bulk encryption algorithm is used to encrypt the message stream. It also includes the key size and the lengths of explicit and implicit initialization vectors (cryptographic nonces). (RFC 5246, p. 17).
The message authentication code (MAC) algorithm is used to create the message digest, a cryptographic hash of each block of the message stream. (RFC 5246, p. 17).
The pseudo-random function (PRF) is used to create the master secret, a 48-byte secret shared between the two peers in the connection. The master secret is used as a source of entropy when creating session keys, such as the one used to create the MAC. (RFC 5246, p. 16-17, 26).
Perfect Forward Secrecy (PFS) is supported by Alteon and is enforced automatically once an ephemeral cipher (DHE or ECDHE) is chosen during the SSL handshake.
The following terms are used when defining ciphers and cipher suites in the lists and tables below:
*AES—Advanced Encryption Standard
*DES—Data Encryption Standard
*DSS—Digital Signature Standard
*MD5—Message Digest algorithm
*RC2, RC4—Rivest encryption
*RSA—Rivest-Shamir-Adleman encryption
*SHA—Secure Hash algorithm
*3DES—DES applied three times
*EC—Elliptic Curve