LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is a TLS cipher suite, and how do you decode a name like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256?

A cipher suite is the bundled choice of (key exchange, authentication, bulk encryption, MAC/PRF). The name is an underscore-separated description of that bundle.

Decoding TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:

Segment Meaning
TLS The protocol family
ECDHE Key exchange: Elliptic-Curve Diffie-Hellman, Ephemeral (PFS)
RSA Server authentication: RSA signature on the DH params (cert is RSA)
WITH Separator
AES_128 Bulk encryption: AES with a 128-bit key
GCM Mode: Galois/Counter Mode (authenticated encryption — provides MAC too)
SHA256 HMAC PRF for key derivation (HKDF in TLS 1.3)

Other common ones:

Suite Notes
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Modern + uses EC cert
TLS_RSA_WITH_AES_128_CBC_SHA Old — no PFS (plain RSA key exchange), uses CBC + separate SHA-1 HMAC
TLS_AES_128_GCM_SHA256 TLS 1.3 — no key-exchange/auth in the name because TLS 1.3 always uses ECDHE + the cert's algorithm

TLS 1.3 dramatically simplified things: only 5 cipher suites are defined, none of them include the key exchange or signature algorithm (those are negotiated separately). All are AEAD with SHA-256/384 for HKDF.

Tip: Tools like SSL Labs Server Test (ssllabs.com/ssltest) grade your server's cipher suite configuration. A server allowing CBC suites, RC4, or anything with RSA key exchange will get a downgraded grade.

From Quiz: ISF / Asymmetric Cryptography | Updated: Jul 14, 2026