This article explains the structure of a cipher suite. A cipher suite is a description of a combination of cryptographic algorithms that a system supports, expects or proposes. The description includes a means to create and exchange asymmetric keys, the type of symmetric keys to use, and the hashing algorithm to use.
Here’s an example ci[her suite from a web server:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
The above is split by colours to make it easier to distinguish between the key components. Here’s the break-down:
TLS = It's simply giving context to the application of the cipher suite. DHE = The key generation and exchange method. Asymmetric cryptography. RSA = The method to prove the identity of each party. Asymmetric cryptography. WITH = There to logically space the key asymmetric and symmetric algorithms. AES_128_CBC = The method of encryption between the parties. Symmetric cryptography. SHA256 = The message digest/hash/MAC algorithm used to provide integrity.
The above cipher suite should be considered ok to use. But there are better. “CBC” is ideally replaced by “GCM”. For example:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
In the above example, the “ECDHE” means “Elliptic Curve Diffie–Hellman” and the final “E” means “Ephemeral” – in other words, PFS (or just FS) or perfect forward security.
Let’s look at one more example:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
The above has an obvious issue with it. It’s old. It should not be used. It uses “3DES” which has been discontinued for use for some time now, “CBC” is less ideal than “GCM”, “SHA” should be replaced with at least “SHA 256”.
You can test your web server from a Linux system using “nmap” by issuing the following command:
nmap -sV --script ssl-enum-ciphers -p 443 www.example.com
You can test your SSH server on a Linux system by issuing the following command:
nmap --script ssh2-enum-algos -sV -p 22 www.example.com
