101
0/240
Loading content...
When a TLS handshake begins, the client and server face an immediate challenge: they must agree on a common set of cryptographic algorithms before any secure communication can occur. This agreement process is called cipher negotiation, and it's far more complex and security-critical than it might initially appear.
Cipher negotiation determines everything about the connection's security:
A poor choice in cipher negotiation can undermine the entire security model. Using deprecated algorithms exposes connections to known attacks. Misconfigured servers might allow attackers to force weak ciphers through downgrade attacks. Understanding cipher negotiation is essential for anyone configuring secure systems.
This page provides a comprehensive examination of TLS cipher negotiation. You will understand cipher suite naming conventions, the negotiation protocol, security implications of different choices, TLS 1.2 vs 1.3 cipher differences, and best practices for secure configuration.
A cipher suite is a combination of cryptographic algorithms that together provide all the security functions needed for a TLS connection. Understanding cipher suite naming is essential for security configuration.
TLS 1.2 Cipher Suite Format:
TLS 1.2 cipher suites follow a specific naming pattern that describes all components:
TLS_[Key Exchange]_[Authentication]_WITH_[Encryption]_[MAC]
Let's dissect a concrete example:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| Component | Purpose | Examples | Security Implications |
|---|---|---|---|
| Key Exchange | Establish shared secret over insecure channel | RSA, DHE, ECDHE, PSK | ECDHE provides forward secrecy; RSA does not |
| Authentication | Verify server (and optionally client) identity | RSA, ECDSA, EdDSA | Must match certificate type; ECDSA more efficient |
| Encryption | Encrypt application data | AES-256, AES-128, ChaCha20 | AES-GCM preferred; ChaCha20 on mobile/embedded |
| Mode of Operation | How block cipher processes data | GCM, CBC, CCM | GCM is AEAD; CBC vulnerable to padding oracles |
| Message Authentication | Verify message integrity | HMAC-SHA256, GCM (built-in), Poly1305 | AEAD modes integrate authentication |
| PRF Hash (TLS 1.2) | Key derivation and Finished message | SHA256, SHA384 | Must be collision-resistant; SHA384 for higher security |
TLS 1.3 Cipher Suite Simplification:
TLS 1.3 dramatically simplified cipher suite naming by separating key exchange from the cipher specification. Key exchange is now negotiated via the supported_groups extension, and signature algorithms via the signature_algorithms extension.
TLS 1.3 cipher suites only specify:
TLS_[AEAD Algorithm]_[Hash Algorithm]
TLS 1.3 Cipher Suites:
TLS_AES_128_GCM_SHA256 — AES-128-GCM with SHA-256 HKDFTLS_AES_256_GCM_SHA384 — AES-256-GCM with SHA-384 HKDFTLS_CHACHA20_POLY1305_SHA256 — ChaCha20-Poly1305 with SHA-256 HKDFTLS_AES_128_CCM_SHA256 — AES-128-CCM with SHA-256 (constrained devices)TLS_AES_128_CCM_8_SHA256 — AES-128-CCM with 8-byte tag (IoT)TLS 1.2's cipher suite explosion (over 300 combinations) made configuration error-prone and analysis difficult. TLS 1.3's approach—only 5 cipher suites, all with mandatory forward secrecy and AEAD—eliminates entire classes of vulnerabilities. You can't misconfigure what doesn't exist.
Cipher negotiation occurs during the TLS handshake's Hello message exchange. The process is asymmetric: the client proposes, and the server chooses.
ClientHello Cipher Proposal:
The client includes an ordered list of cipher suites in its ClientHello message. This list typically contains:
Example ClientHello cipher_suites (TLS 1.2 client):
cipher_suites (12 suites)
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
ServerHello Cipher Selection:
The server examines the client's list and selects ONE cipher suite that:
Selection Strategies:
Servers can use different selection strategies:
Client preference order: Select the first suite from the client's list that the server supports. This respects client preferences but can result in weaker security if clients are poorly configured.
Server preference order: Ignore client order; select the first suite from the SERVER's preference list that the client supports. This enforces server security policy.
Modern best practice: Server preference order with a carefully curated server list.
The cipher suite must be compatible with the server's certificate. An RSA certificate cannot be used with ECDHE_ECDSA suites. A server with only an RSA certificate must select an RSA authentication cipher suite, regardless of client preferences for ECDSA.
The key exchange algorithm determines how the client and server establish a shared secret over an insecure channel. This is perhaps the most security-critical component of the cipher suite.
RSA Key Exchange (Deprecated in TLS 1.3):
In RSA key exchange, the client generates a random pre-master secret, encrypts it with the server's public key (from the certificate), and sends it to the server. Only the server, possessing the private key, can decrypt it.
Critical Weakness: No forward secrecy. If the server's private key is ever compromised, all recorded sessions can be decrypted. This motivated TLS 1.3's removal of RSA key exchange.
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral):
The modern standard for key exchange. ECDHE uses elliptic curve mathematics to achieve the same security as DHE with much smaller key sizes:
| Curve | Security Level | Equivalent RSA | NIST Classification |
|---|---|---|---|
| X25519 | 128 bits | RSA-3072 | Not NIST-approved |
| P-256 (secp256r1) | 128 bits | RSA-3072 | NIST Suite B |
| P-384 (secp384r1) | 192 bits | RSA-7680 | NIST Suite B |
| P-521 (secp521r1) | 256 bits | RSA-15360 | NIST Suite B |
X25519 is the most widely deployed curve, designed by Daniel J. Bernstein. It offers excellent performance, constant-time implementations (resistance to timing attacks), and avoids potential weaknesses in NIST curves.
DHE (Finite Field Diffie-Hellman Ephemeral):
The classical Diffie-Hellman algorithm uses modular exponentiation. Still supported but generally slower than ECDHE and requires larger key sizes:
Prefer ECDHE when available. DHE remains a fallback for legacy systems.
In TLS 1.3, key exchange curves are negotiated via the supported_groups extension, separately from cipher suites. The client includes key shares for expected groups in ClientHello. If the server prefers a different group, it sends HelloRetryRequest. Modern configurations typically offer X25519 first, then P-256, covering virtually all servers.
Authentication in TLS serves a distinct purpose from key exchange: it proves the identity of the server (and optionally the client). The authentication algorithm must match the type of certificate deployed.
RSA Authentication:
The server's certificate contains an RSA public key. Authentication occurs through:
RSA Signature Schemes (TLS 1.3):
rsa_pkcs1_sha256 — PKCS#1 v1.5 with SHA-256 (legacy compatibility)rsa_pss_rsae_sha256 — RSA-PSS with SHA-256 (recommended)rsa_pss_pss_sha256 — RSA-PSS with PSS OID in certificateRSA-PSS (Probabilistic Signature Scheme) is preferred over PKCS#1 v1.5 due to stronger security proofs.
ECDSA (Elliptic Curve Digital Signature Algorithm):
The server's certificate contains an EC public key. ECDSA offers:
ECDSA Curves:
EdDSA (Edwards-Curve Digital Signature Algorithm):
The newest authentication algorithm, based on Edwards curves:
ed25519 — 128-bit security, constant-time by designed448 — 224-bit securityEdDSA offers deterministic signatures (no randomness needed), resistance to timing attacks, and simple, fast implementations. Ed25519 is gaining adoption in TLS 1.3.
Signature Scheme Selection (TLS 1.3):
Clients and servers communicate supported signature algorithms via the signature_algorithms extension. The intersection determines which can be used.
| Algorithm | Key Size (128-bit security) | Signature Size | Speed (Sign/Verify) | Notes |
|---|---|---|---|---|
| RSA (PKCS#1) | 3072 bits | 384 bytes | Slow/Fast | Universal support; large signatures |
| RSA-PSS | 3072 bits | 384 bytes | Slow/Fast | Stronger proofs than PKCS#1 |
| ECDSA P-256 | 256 bits | 64 bytes | Fast/Fast | Small signatures; widely deployed |
| ECDSA P-384 | 384 bits | 96 bytes | Medium/Medium | Higher security; government/financial |
| Ed25519 | 256 bits | 64 bytes | Very Fast/Very Fast | Deterministic; timing-resistant |
The authentication algorithm is constrained by the server's certificate. An ECDSA cipher suite requires an EC certificate. If you only have an RSA certificate, you cannot use ECDSA authentication, regardless of client preferences. Many sites now deploy dual certificates (RSA + ECDSA) to serve all clients optimally.
Once keys are established, the encryption algorithm protects all application data. Modern TLS exclusively uses AEAD (Authenticated Encryption with Associated Data) ciphers, which provide both confidentiality and integrity in a single operation.
Why AEAD?
Historically, encryption (confidentiality) and MAC (integrity) were separate operations:
This "MAC-then-Encrypt" or "Encrypt-then-MAC" approach created vulnerabilities:
AEAD ciphers integrate encryption and authentication into a single, atomic operation, eliminating these attack surfaces.
AES-GCM (Galois/Counter Mode):
The dominant AEAD cipher in TLS. Hardware acceleration (AES-NI) makes it extremely fast on modern processors.
Properties:
AES-GCM Operation:
Vulnerability: Nonce Reuse
If the same nonce is ever used twice with the same key, AES-GCM's security completely collapses:
TLS mitigates this by deriving unique nonces from the record sequence number, which is guaranteed to be unique and sequential.
ChaCha20-Poly1305:
Alternative AEAD cipher designed by Daniel J. Bernstein. Optimized for software implementations without hardware AES support.
Properties:
Why ChaCha20-Poly1305?
Google deployed ChaCha20-Poly1305 in Chrome/Android for connections to their servers, specifically for mobile battery and performance improvements.
For servers with significant mobile traffic, offering ChaCha20-Poly1305 improves user experience. Modern servers can detect client capabilities and prefer AES-GCM for desktop clients (with AES-NI) while serving ChaCha20-Poly1305 to mobile clients.
Not all cipher suites provide equal security. They can be categorized into tiers based on their cryptographic properties and known vulnerabilities.
| Tier | Characteristics | Example Cipher Suites | Recommendation |
|---|---|---|---|
| 🟢 Modern (TLS 1.3) | AEAD only, mandatory forward secrecy, current algorithms | TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 | Enable and prefer |
| 🟢 Strong (TLS 1.2) | ECDHE/DHE, AEAD, SHA-256+ | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Enable for compatibility |
| 🟡 Acceptable (TLS 1.2) | ECDHE/DHE, CBC mode, SHA-256+ | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 | Enable only if necessary |
| 🟠 Legacy (TLS 1.2) | RSA key exchange, CBC, SHA-1 | TLS_RSA_WITH_AES_256_CBC_SHA | Disable unless required for legacy |
| 🔴 Weak (Deprecated) | DES, 3DES, RC4, MD5, export ciphers | TLS_RSA_WITH_3DES_EDE_CBC_SHA | Disable immediately |
| ⛔ Broken (Banned) | NULL encryption, anonymous DH, export 40-bit | TLS_RSA_WITH_NULL_SHA, TLS_DH_anon_* | Never enable under any circumstances |
Known Vulnerabilities by Algorithm:
RC4 — Stream cipher with measurable biases. BEAST attack mitigation drove RC4 adoption, then RC4 attacks (Bar-Mitzvah, NOMORE) led to deprecation.
3DES — Sweet32 attack: after 2^32 blocks (~32GB), birthday collision reveals plaintext patterns. Too slow and weak.
CBC mode — Padding oracles (POODLE, Lucky13) enabled plaintext recovery. Timing side-channels in MAC verification. Requires complex countermeasures.
SHA-1 — Collision attacks demonstrated (SHAttered). No longer considered secure for signatures.
RSA key exchange — No forward secrecy. Bleichenbacher attacks on PKCS#1 padding (F1 Racing, ROBOT).
Export ciphers — Deliberately weakened (40-bit, 56-bit keys) for 1990s US export regulations. FREAK, Logjam attacks exploited servers still supporting these.
If your server supports weak ciphers, attackers can potentially force their use through downgrade attacks—manipulating the handshake to select weaker algorithms. TLS 1.3's encrypted handshake and TLS 1.2's renegotiation info extension mitigate this, but the safest defense is to not offer weak ciphers at all.
Configuring cipher suites correctly is critical for security. Here are current best practices for server configuration.
1234567891011121314151617181920212223242526
# Modern TLS Configuration for Nginx # Enable only TLS 1.2 and TLS 1.3ssl_protocols TLSv1.2 TLSv1.3; # Cipher suites - TLS 1.3 ciphers are automatic# TLS 1.2 ciphers ordered by preferencessl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; # Server preference orderssl_prefer_server_ciphers on; # ECDHE curvesssl_ecdh_curve X25519:secp256r1:secp384r1; # Session settingsssl_session_timeout 1d;ssl_session_cache shared:SSL:50m;ssl_session_tickets off; # Disable for forward secrecy # OCSP staplingssl_stapling on;ssl_stapling_verify on; # HSTS (optional but recommended)add_header Strict-Transport-Security "max-age=63072000" always;Stricter configurations improve security but may break older clients (IE 10, Android 4.x, Java 7). Know your user base. For public websites, a compatibility scan with tools like testssl.sh helps identify the impact of configuration changes.
Cipher negotiation is where cryptographic theory meets practical security. The algorithms chosen in the first milliseconds of a connection determine whether your data is protected or vulnerable.
What's Next:
With cipher negotiation understood, we move to the trust foundation of TLS: certificate exchange. The next page examines X.509 certificates, certificate chains, validation procedures, and the PKI infrastructure that enables server authentication.
You now understand TLS cipher negotiation — how client and server agree on cryptographic algorithms and why those choices have profound security implications. This knowledge enables you to configure secure servers, evaluate TLS implementations, and understand security advisories about cipher vulnerabilities.