What is a cipher suite?

3 minbeginnercipher-suitetlsbasics

Quick Answer

A cipher suite is a named bundle of algorithms that together define exactly how a TLS connection will do key exchange, authentication, encryption, and integrity checking. During the handshake, the client and server agree on one cipher suite to use for the rest of the connection.

Detailed Answer

TLS does not use just one algorithm — it needs several working together: one to agree on a shared secret, one to prove the server's identity, one to encrypt the data, and one to check it wasn't tampered with. A cipher suite bundles a specific choice for each of these into one name.

Client's supported cipher suites:
  TLS_AES_128_GCM_SHA256
  TLS_AES_256_GCM_SHA384
  TLS_CHACHA20_POLY1305_SHA256
        |
        v
Server picks one it also supports:
  -> TLS_AES_128_GCM_SHA256
        |
        v
Both sides now know exactly which algorithms to use
for the rest of the connection

During the handshake, the client sends a list of cipher suites it supports, ordered by preference. The server picks one from that list, which it also supports. From that point on, both sides know exactly which encryption and integrity algorithm to use.

Why this matters:

  • Picking a weak cipher suite undermines the whole connection, no matter how strong TLS itself is.
  • Servers are usually configured to only offer modern, secure cipher suites, and reject old weak ones.

Related Resources