What is Cipher Suite?

A cipher suite is a set of cryptographic algorithms negotiated between a client and server during the TLS handshake. Each cipher suite specifies four components: key exchange (how the shared secret is established), authentication (how the server proves its identity), bulk encryption (how data is encrypted), and message authentication (how data integrity is verified).

Example

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 means:

  • ECDHE - Elliptic Curve Diffie-Hellman Ephemeral key exchange (provides forward secrecy)
  • RSA - RSA authentication (server proves identity with its RSA certificate)
  • AES_256_GCM - AES-256 in Galois/Counter Mode (authenticated encryption)
  • SHA384 - SHA-384 for the PRF (pseudorandom function)

Strong vs weak

Strong cipher suites use AEAD encryption (AES-GCM, ChaCha20-Poly1305) and ephemeral key exchange (ECDHE) for forward secrecy. Weak cipher suites use broken algorithms like RC4, DES, 3DES, or static RSA key exchange without forward secrecy. SurfaceLoop identifies servers supporting weak cipher suites across your external attack surface.

Map your attack surface - first scan free