What type of bulk encryption cipher mode of operation offers the best security?

Modern cryptographic security protocols use cipher suites, such as the Transport Layer Security (TLS) protocol and its deprecated predecessor Secure Socket Layer (SSL). Cipher suites are a set of algorithms used to secure network connections between clients and servers. For example, the TLS/SSL protocols are used to establish HTTPS, FTPS, POP3, SMTP, and others.

Each of the algorithms in the cipher suite serves to secure a part of the connection. They are used to authenticate the server to the client (and sometimes vice-versa), negotiate the encryption key, encrypt the plaintext, and verify the transmitted data’s integrity. 

To learn more about the different ciphers, the cipher suites used by TLS/SSL, and setting a cipher order – keep reading below.

Cipher Order Security Assessment

CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Cipher Order Vulnerability Information

Your server or application will be vulnerable if no order is set for the HTTPS cipher or if the cipher order includes an insecure cipher. 

An insecure cipher allows an attacker to establish an insecure SSL/TLS connection and launch different attacks. 

Therefore, in your SSL/TLS configuration, you should set the allowed ciphers and their order to match secure values. See below for advice on how to do that!

What Are Ciphers, and How Do They work?

A cipher is a cryptographic algorithm, a procedure used to encrypt and decrypt data. Modern ciphers operate by encrypting the original message, the plaintext, via the algorithm’s rules (i.e., the encryption key) to produce what’s known as ciphertext. The ciphertext contains all the information of the original plaintext message but appears as a random string of data. It cannot be read by anyone who doesn’t have the key.

Ciphers can be distinguished based on two criteria – the type of encryption key they use and how they encrypt the data. 

A cipher can use symmetric or asymmetric keys – i.e., the same key is used for both encryption and decryption, or different keys (public and private) are used for each. There are also block ciphers and stream ciphers – the former encrypt data in blocks of a fixed size, while the latter encrypts data in the form of a continuous stream.

What Is an SLL Cipher Suite?

A cipher suite is a set of algorithms used to secure a connection via the TLS or SSL protocols between clients and servers. When initiating a connection, clients and servers will perform a handshake. During that handshake process, they will agree about the cipher suite to establish an HTTPS connection. Once the cipher suite is agreed upon, they will proceed with the key exchange and other connected parts. 

Cipher suites in TLS and SSL will usually include the following types of algorithms:

• Key exchange algorithm – specifies the exchange of the symmetric keys required for the encryption process. Due to the connection being considered insecure, a separate asymmetric process of arriving at the keys must be implemented to guarantee that only the two connecting parties will have the symmetric keys.

Examples of key exchange algorithms: RSA, Diffie-Hellman (DH), ECDH, ECDHE, SRP, PSK

• Authentication algorithm – dictates how to authenticate the server’s identity and (if needed) the user’s identity. 

Examples of authentication algorithms: RSA, DSA, ECDSA

• Bulk encryption algorithm – determines the type of symmetric key used to encrypt the data exchanged between the parties. 

Examples of bulk encryption algorithms: AES, RC4, 3DES, CHACHA20, ARIA, Camellia

• Message Authentication Code (MAC)/Hashing algorithm – provides a mechanism (a hash function) for checking the integrity of the data that is being transmitted to guarantee that it is not tampered with.

Examples of MAC algorithms: HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, HMAC-MD5, POLY1305

Prevention Guide

Learn how to detect and prevent different kinds of SSL/TLS vulnerabilities.

TLS Cipher Suites

To begin, here’s what a cipher suite in TLS 1.2 usually looks like:

TLS_ECDH_RSA_AES256-GCM_SHA384

Each element above denotes a different part of the whole cipher suite being negotiated. The protocol is TLS, and each following element refers to one of the algorithms that are part of the suite, in the order specified above – key exchange, authentication, bulk encryption, and MAC.

Many different combinations of algorithms can make up a cipher suite. The exact combination used is determined during the TLS handshake process and depends on the set of ciphers supported on the server side. 

To date, only TLS 1.2 and TLS 1.3 are considered safe protocols for network connections, and each of them supports only a specific number of cipher suite combinations. See below for a list of cipher suites in TLS 1.2 and 1.3! 

Secure cipher suites in TLS 1.2

TLS 1.2, while primarily considered safe, is less safe than TLS 1.3 and supports a total of 37 cipher suites – i.e., 37 different combinations of ciphers. Not all are equally secure, and only about 20 should be used. These utilize a type of Diffie-Hellman key exchange algorithm – ECDHE or DHE. The secure suites to be used in TLS 1.2 are:

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

Over time, vulnerabilities have been discovered in various common ciphers that have made them insecure due to the attacks they are open to. As a result, ciphers such as RC4, DSA, MD5, DH, ECDH, and others have been deprecated and considered unsafe (though many are still widely used).

One such attack, for example, is POODLE which exploits a vulnerability found in the cipher block chaining mode of encryption used in SSL 3.0. For this reason, it is crucial to ensure that only TLS 1.2 or 1.3 are allowed for use by the server and that possibilities for protocol downgrade, as with POODLE, are impossible.

Secure cipher suites in TLS 1.3

Cipher suites in TLS 1.3 are shorter and safer. This is because they do not list the authentication algorithm (i.e., the server certificate) or the key algorithm. This means that during the TLS handshake, fewer negotiations must be conducted between client and server, so only two algorithms are present in the cipher suite – the bulk cipher and the MAC algorithm. 

All in all, this reduces the number of possible cipher suites in TLS 1.3 to the following five:

• TLS_AES_256_GCM_SHA384
• TLS_CHACHA20_POLY1305_SHA256
• TLS_AES_128_GCM_SHA256
• TLS_AES_128_CCM_8_SHA256
• TLS_AES_128_CCM_SHA256

How to Configure the TLS Cipher Order

Since TLS 1.3 cipher suites are not compatible with older TLS protocol versions, you will need to enable support for TLS 1.2, and those cipher suites are considered secure when setting up your server. However, supporting only TLS 1.3 is limiting and will prevent many clients from connecting. That said, disabling support for protocol versions before TLS 1.2 is advisable.

If you’re in doubt about setting up the cipher order on your server, take a look at the TLS configuration proposal offered by Mozilla or use their SSL Config Generator.

To learn more about TLS vulnerabilities and how to prevent them, see our detailed TLS Security Settings and Enabling TLS Encryption guide.

Which encryption algorithms are more suitable for bulk data encryption?

What is the best encryption algorithm?

What are the two types of secure ciphers?

Which encryption method is most widely used and why?