TLS CipherSuites determine which cryptographic algorithms are used for key exchange, encryption, and integrity. The article explains the structure of cipher suites, their security levels and why the right selection is crucial for secure TLS communication.
Secure internet communication today almost always relies on TLS (Transport Layer Security). The specific cryptographic algorithms used are defined by the so-called cipher suite. This article explains how cipher suites are structured, which security levels exist, and why they matter in practice.
A cipher suite is a combination of algorithms for key exchange, authentication, encryption, and integrity assurance.
An example is
ECDHE-RSA-AES256-GCM-SHA384
where:
Depending on the TLS version, cipher suite naming conventions differ slightly. The chosen cipher suite also determines the security level of the underlying algorithms and therefore the overall security of the transmitted data.
From today’s perspective, TLS 1.3 supports only secure algorithms and appropriate security levels. Earlier TLS versions, however, include cipher suites that are now considered insecure and should no longer be used. For example, the cipher suite TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 offers no meaningful security, even though TLS is technically in use.
An overview of secure cipher suites can be found at https://ciphersuite.info/
Using TLS alone does not automatically guarantee secure communication. Only the selection of appropriate cipher suites ensures that key exchange, encryption, and integrity protection meet the intended security requirements. Misconfigurations or support for outdated cipher suites can leave data vulnerable to practical attacks despite TLS being enabled.
A basic understanding of cipher suites is therefore essential for evaluating TLS configurations correctly, meeting security requirements, and avoiding unnecessary risks.
OpenSSL categorises cipher suites into different security levels. These range from SECLEVEL=1, offering approximately 80 bits of security, up to SECLEVEL=5, which corresponds to 256 bits of security. For most applications, SECLEVEL=3 with 128 bits of security is considered the recommended default.
Common cipher suites in TLS 1.3 include:
TLS 1.2 also supports secure combinations such as ECDHE-RSA-AES256-GCM-SHA384, provided they are explicitly configured and used correctly.
Conclusion: Choosing the right cipher suite is critical to securing communication. With the emergence of post-quantum cryptography, it will become increasingly important to use TLS cipher suites that integrate post-quantum-secure algorithms.
FortIT enables secure digital business, supporting companies with innovative digitalization projects and strategic initiatives. With deep expertise in modern technologies, FortIT delivers fast, visible results and lasting impact.
