TLS and Ciphers Suites

The content on this page is based on the RFCs for TLS 1.2 and TLS 1.3, RFC 5246 and RFC 8446 respectively. In addition, Cloudflare has a great guides to TLS.

Warning: TLS 1.1 and below has been deprecated since 2020.

The Concepts

Transport Layer Security (TLS), the successor to Secure Sockets Layer (SSL), is a protocol for secure network communication and is most frequently known trough its use in HTTPS. The goal of TLS is to achieve both integrity and confidentiality of the transmitted information between a client and a server.

TLS is initiated with a handshake, which after complete, the connection is considered secure for information exchange. Due to this TLS establishes a stateful connection.

The handshake utilizes both asymmetric and symmetric cryptography. The asymmetric keys are the public-private key-pair of the X.509v3 certificate which the server presents to the client.

By using this certificate, the client can authenticate the server. By verifying whether the certificate has been signed by a trusted Certificate Authority (CA), the trust of the CA is extended to the server. If the client also has a certificate, the server may verify the identity of the client as well in a similar manner.

Note: TLS uses negotiation between the client and the server to decide on both the TLS version and the cipher suites to use. Due to this, the list of cipher suites which the server offers are a trade-off between availability against confidentiality and integrity.

Cipher Suites

Cipher suites are made up of several components:

  • Key Exchange Algorithm: How the symmetric keys will be exchanged

  • Authentication Algorithm: How the authentication of the server and optionally the client will be performed

  • Data Encryption Algorithm: How the symmetric key will be used to encrypt the data

  • Message Authentication Algorithm: How the connection will perform integrity checks

Examples of cryptographic algorithms and their use cases:

Key Exchange

Authentication

Data Encryption

Message Authentication

RSA

RSA

AES

MD5

DH

ECDSA

ChaCha20

SHA256

ECDH

PSK

DES

POLY1305

Cryptographic algorithms by type:

  • Symmetric Block Ciphers: DES, AES

  • Symmetric Stream Ciphers: ChaCha20, RC4

  • Asymmetric Ciphers: RSA, DSA, DH, ECDH

  • Block cipher mode of operation

    • "A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block"

    • AES encrypts blocks of 128-bits using a key of length 128, 192 or 256 bits while DES encrypts blocks of 64-bits. Stream ciphers on the other hand encrypt bit by bit.

    • "Block cipher modes of operation have been developed to eliminate the chance of encrypting identical blocks of text the same way"

    • CBC

    • Authenticated encryption (AE),

      • A combination of MAC and Encryption.

      • Authenticated Encryption with Associated Data (AEAD)

      • GCM and CCM

  • A note on insecure ciphers

Example of cipher suites:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384

dsfsdf