An SSL cipher, or an SSL cipher suite, is a set of algorithms or a set of instructions/steps that helps to establish a secure connection between two entities.

SSL cipher suites determine the method through which a secure connection will take place between both entities. This communication could be taking place through HTTPS, FTPS, SMTP, or other network protocols.

### How Does an SSL Cipher Suite Look?

To negotiate a secure communication, the client and the server need to come on terms with four crucial elements:

- Key exchange algorithm
- Bulk encryption algorithm
- Data encryption algorithm
- Hash function

This is an example of a cipher suite:

DHE_RSA_AES256_SHA256

- DHE: The first part is the key exchange algorithm.
- RSA: The second section is the authentication algorithm.
- AES256: The third section is the type of encryption algorithm used.
- SHA256: The fourth component is the type of hashing algorithm used.

### List of Recommended TLS 1.3 Cipher Suites

TLS 1.3, an upgraded version of TLS 1.2, brings a host of changes, including changes to the list of cipher suites. One of the most significant downsides of TLS 1.2 was the time it took to process the SSL/TLS handshake.

The biggest culprit behind this was the RSA algorithm, which uses large cryptographic keys to encrypt and decrypt the data. This resulted in increased computational overhead and latency.

The SSL cipher suite list has reduced dramatically from TLS 1.2 to TLS 1.3. Now, there are just five SSL cipher suites that are recommended:

- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_AES_128_CCM_8_SHA256
- TLS_AES_128_CCM_SHA256

### TLS 1.3 Cipher Suites

Although TLS 1.3 uses the same cipher suite space as previous versions of TLS, TLS 1.3 cipher suites are defined differently, only specifying the symmetric ciphers, and cannot be used for TLS 1.2. Similarly, TLS 1.2 and lower cipher suites cannot be used with TLS 1.3 (IETF TLS 1.3 draft 21).

- There are 5 TLS v1.3 ciphers and 37 recommended TLS v1.2 ciphers.
- TLS v1.3 has deprecated the RSA key exchange and all other static key exchange mechanisms.
- TLS v1.3 has a new bulk cipher, AEAD or Authenticated Encryption with Associated Data algorithm. The AEAD Cipher can encrypt and authenticate the communication.
- TLS v1.3 cipher suites are more compact than TLS v1.2 cipher suites.

### List of Approved TLS 1.2 Ciphers

- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

### Summary

Cipher suites are an integral part to the TLS Handshake, telling the client and server how to encrypt their information for the other to understand.

The TLS Handshake, which connects a client and server in a secure connection, is used every day to connect to websites, so ensuring it is the most secure it can be is extremely important.

Cipher suites are just one way to ensure safe and trusted connections. Code signing, proper certificate management, and secure SSH keys are all other secure connection methods that must also be implemented properly, to ensure the most secure connection to servers.

Related:

- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples