Quiz Entry - updated: 2026.07.14
What is a TLS cipher suite, and how do you decode a name like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256?
A cipher suite is the bundled choice of (key exchange, authentication, bulk encryption, MAC/PRF). The name is an underscore-separated description of that bundle.
Decoding TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
| Segment | Meaning |
|---|---|
| TLS | The protocol family |
| ECDHE | Key exchange: Elliptic-Curve Diffie-Hellman, Ephemeral (PFS) |
| RSA | Server authentication: RSA signature on the DH params (cert is RSA) |
| WITH | Separator |
| AES_128 | Bulk encryption: AES with a 128-bit key |
| GCM | Mode: Galois/Counter Mode (authenticated encryption — provides MAC too) |
| SHA256 | HMAC PRF for key derivation (HKDF in TLS 1.3) |
Other common ones:
| Suite | Notes |
|---|---|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 |
Modern + uses EC cert |
TLS_RSA_WITH_AES_128_CBC_SHA |
Old — no PFS (plain RSA key exchange), uses CBC + separate SHA-1 HMAC |
TLS_AES_128_GCM_SHA256 |
TLS 1.3 — no key-exchange/auth in the name because TLS 1.3 always uses ECDHE + the cert's algorithm |
TLS 1.3 dramatically simplified things: only 5 cipher suites are defined, none of them include the key exchange or signature algorithm (those are negotiated separately). All are AEAD with SHA-256/384 for HKDF.
Tip: Tools like SSL Labs Server Test (ssllabs.com/ssltest) grade your server's cipher suite configuration. A server allowing CBC suites, RC4, or anything with RSA key exchange will get a downgraded grade.