Cipher Suites

A cipher suite is a set of cryptographic algorithms. Cipher suites come into play before a client application and server exchange information over an TLS connection. The client application initiates what is known as an SSL/TLS handshake. Part of that process involves notifying the server which cipher suites it supports. The server receives that information and compares the cipher suites supported by the client application with the algorithms it supports. If and when it finds a match of supported methods, the server notifies the client application and a secure connection is established. If it doesn’t find a match, the server refuses the connection.

A cipher suite specifies one algorithm for each of the following tasks:

• Key exchange: Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.
• Bulk encryption: Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.
• Message authentication: Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.
• Authentication Algorithm: To ensure the correct and secure transfer of data, a web server needs to verify the identity of the user who is receiving the data. Usually, this process involves the user inputting a set of credentials including a username and password. To facilitate this authentication process, cipher suites employ an authentication algorithm such as RSA, DSA and ECDSA.

Weaknesses Related to Cipher Suites

Several network-level vulnerabilities have emerged in the past. Among them were SSL/TLS-based vulnerabilities like Heartbleed and POODLE. To mitigate these vulnerabilities, organizations should use different versions of available cipher suites or disable the acceptance of vulnerable suites. For example, to defend against POODLE, SSLv3 needs to be disabled. Disabling cipher suites can sometimes result in compatibility issues, but JSCAPE points out that most of the major web browsers update their cipher suites following the release of an SSL/TLS-based vulnerability anyway. Organizations should therefore advise web users to install the latest software patches in order to avoid compatibility issues.