A cipher suite is a set of algorithms used within a SSL/TLS session to provide data integrity, authentication and confidentiality for communication between a client and a server.
Each cipher suite contains a,
- Key Exchange algorithm – Used in the creation of a secret key which is used within the bulk encryption process. Also known as asymmetric encryption.
- Bulk Encryption algorithm – Used to encrypt data between the client and server. Also know as symmetric encryption or the cipher algorithm.
- Message Authentication algorithm – Provides a short piece of data used to authenticate a message. Also known as HMAC (Hashed Message Authentication Code).
Notes
- Key Exchange Algorithm (RSA or DH) – symmetric (same key for encryption/decryption) or asymmetric (shared public key for encryption, protected private key for decryption)
- Authentication Algorithm (RSA or DSS. Note that with RSA, Key Exchange and Authentication are combined) – Used for authenticating the server and/or client. X.509 certificates in the case of SSL.
- Encryption Algorithm (DES, 3DES, AES, RC4) – Used to encrypt the message payload
- Message Authentication Code (MAC) Digest Algorithm (MD5, SHA-1) – Used for message integrity
key exchange algorithm, a bulk encryption algorithm, a message authentication code (MAC) algorithm, and a pseudorandom function (PRF)
confidentiality data integrity authentication
A cipher suite is a set of ciphers used in the privacy, authentication, and integrity of data passed between a server and client in an SSL session. Any given session uses one cipher, which is negotiated in the handshake. The components of the cipher are
- Key Exchange Algorithm (RSA or DH) – symmetric (same key for encryption/decryption) or asymmetric (shared public key for encryption, protected private key for decryption)
- Authentication Algorithm (RSA or DSS. Note that with RSA, Key Exchange and Authentication are combined) – Used for authenticating the server and/or client. X.509 certificates in the case of SSL.
- Encryption Algorithm (DES, 3DES, AES, RC4) – Used to encrypt the message payload
- Message Authentication Code (MAC) Digest Algorithm (MD5, SHA-1) – Used for message integrity
A cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol.
Symmetric Encryption – Same key is used to encrypt decrypt data.
Asymmetric Encryption – Uses a key pair that work in (Mathematoically) conjunction with each other. One key is considered private and one is considered public. Data can be decrypted/encrypted with the corisonping key.
Uses much more CPU then Symectric.
RSA for authenticate and then use symctric for bulk data.
DH uses assymtric algortyhm ocne done creates a shared screct key i.e symetric.
must of traffic is encrypted/decrypted using symmectric such as AES.
* Block encryption method – blocks of data i.e DES, 3DES, AES, IDEA, RC5, Blowfish
Stream encrypton method – bits of data – 1 bit of a time.
Hashing – one way function to generate a hash of a set of data. provides a method to ensure data integrity.
HMAC – Hashed Message Encryption Code. Attcked changes data reruns hash. HMAC used part of key to generate HASH.
key escrow
Digital Signture – encrypt of hash of data
Som devices do not have much CPU for crypto functions . ECC (Elliptic Curve Cryptography)
used a lot for assymtric. benefits from using a shorter key but still string enrytpion.
Emphemerial Key – key used for a short time. when a key and some offset is used with the key, i.e different key for each packet.
Reference
http://docs.oracle.com/cd/E19728-01/820-2550/cipher_suites.html
https://devcentral.f5.com/articles/ssl-profiles-part-4-cipher-suites
https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15194.html
http://en.wikipedia.org/wiki/Key_exchange
http://en.wikipedia.org/wiki/Cipher_suite
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial