What is cipher suite ?
What is cipher suite?
A cipher suite is a set of cryptographic algorithms used to secure network connections through protocols like TLS (Transport Layer Security) and SSL (Secure Sockets Layer). Cipher suites define how encryption, authentication, and integrity checks are performed between a client and a server.
Components of a Cipher Suite
A typical cipher suite consists of four main algorithms:
- Key Exchange Algorithm – Determines how the client and server securely exchange cryptographic keys (e.g., RSA, Diffie-Hellman (DH), Elliptic Curve Diffie-Hellman (ECDH)).
- Authentication Algorithm – Verifies the identity of the communicating parties (e.g., RSA, ECDSA).
- Encryption Algorithm – Encrypts the actual data (e.g., AES, ChaCha20).
- Message Authentication Code (MAC) Algorithm – Ensures data integrity (e.g., SHA-256, Poly1305).
Below are the some strong Cipher Suites for TLS 1.2
TLS 1.3 Strong Ciphers
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS 1.2 Strong Ciphers
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_RSA_WITH_AES_256_CCM_8
TLS_DHE_RSA_WITH_AES_256_CCM
TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
#TLS 1.3 (suites in server-preferred order)
TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS 256P
TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_AES_128_CCM_8_SHA256 (0x1305) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_AES_128_CCM_SHA256 (0x1304) ECDH x25519 (eq. 3072 bits RSA) FS 128
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp256r1 (eq. 3072 bits RSA) FS 256P
#Following Weak ciphers allowed for backward compatibility on user request
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
Below are the some command to enable and disable the Cipher Suites in Window Server
Disable a cipher suite
Disable-TlsCipherSuite -Name “TLS_RSA_WITH_3DES_EDE_CBC_SHA”
Enable a cipher suite
Enable-TlsCipherSuite -Name “TLS_DHE_DSS_WITH_AES_256_CBC_SHA”
Enable a cipher suite as the lowest priority
Enable-TlsCipherSuite -Name “TLS_DHE_DSS_WITH_AES_256_CBC_SHA” -Position 4294967295
Enable a cipher suite as the highest priority
Enable-TlsCipherSuite -Name “TLS_DHE_DSS_WITH_AES_256_CBC_SHA” -Position 0
To Get all cipher suites run the below command in PowerShell
Get-TlsCipherSuite
To Get the cipher suites that match a string run below command
PS C:\>Get-TlsCipherSuite -Name “AES”
