What is deferent below two Ciphersuites?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I've two questions;
- I need an explanation for the differences of below two cipher suites.
How do they work with SSL/TLS protocol? (my main concern first one doesn't have '
ecdhe_rsa'
part )tls_aes_128_gcm_sha256
tls_ecdhe_rsa_with_aes_128_gcm_sha256
encryption hash tls openssl
New contributor
add a comment |Â
up vote
1
down vote
favorite
I've two questions;
- I need an explanation for the differences of below two cipher suites.
How do they work with SSL/TLS protocol? (my main concern first one doesn't have '
ecdhe_rsa'
part )tls_aes_128_gcm_sha256
tls_ecdhe_rsa_with_aes_128_gcm_sha256
encryption hash tls openssl
New contributor
1
What product are you using that supports those cipher suites?
â Artjom B.
1 hour ago
@ArtjomB. i examine those two when connect to two web site
â uma
1 hour ago
2
I guess the first one is for TLS 1.3 0-RTT.
â Artjom B.
1 hour ago
1
That's a pretty good guess :)
â Maarten Bodewes
59 mins ago
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I've two questions;
- I need an explanation for the differences of below two cipher suites.
How do they work with SSL/TLS protocol? (my main concern first one doesn't have '
ecdhe_rsa'
part )tls_aes_128_gcm_sha256
tls_ecdhe_rsa_with_aes_128_gcm_sha256
encryption hash tls openssl
New contributor
I've two questions;
- I need an explanation for the differences of below two cipher suites.
How do they work with SSL/TLS protocol? (my main concern first one doesn't have '
ecdhe_rsa'
part )tls_aes_128_gcm_sha256
tls_ecdhe_rsa_with_aes_128_gcm_sha256
encryption hash tls openssl
encryption hash tls openssl
New contributor
New contributor
edited 1 hour ago
kelalaka
753214
753214
New contributor
asked 1 hour ago
uma
1085
1085
New contributor
New contributor
1
What product are you using that supports those cipher suites?
â Artjom B.
1 hour ago
@ArtjomB. i examine those two when connect to two web site
â uma
1 hour ago
2
I guess the first one is for TLS 1.3 0-RTT.
â Artjom B.
1 hour ago
1
That's a pretty good guess :)
â Maarten Bodewes
59 mins ago
add a comment |Â
1
What product are you using that supports those cipher suites?
â Artjom B.
1 hour ago
@ArtjomB. i examine those two when connect to two web site
â uma
1 hour ago
2
I guess the first one is for TLS 1.3 0-RTT.
â Artjom B.
1 hour ago
1
That's a pretty good guess :)
â Maarten Bodewes
59 mins ago
1
1
What product are you using that supports those cipher suites?
â Artjom B.
1 hour ago
What product are you using that supports those cipher suites?
â Artjom B.
1 hour ago
@ArtjomB. i examine those two when connect to two web site
â uma
1 hour ago
@ArtjomB. i examine those two when connect to two web site
â uma
1 hour ago
2
2
I guess the first one is for TLS 1.3 0-RTT.
â Artjom B.
1 hour ago
I guess the first one is for TLS 1.3 0-RTT.
â Artjom B.
1 hour ago
1
1
That's a pretty good guess :)
â Maarten Bodewes
59 mins ago
That's a pretty good guess :)
â Maarten Bodewes
59 mins ago
add a comment |Â
3 Answers
3
active
oldest
votes
up vote
3
down vote
accepted
The difference is that tls_aes_128_gcm_sha256
is TLS 1.3 and tls_ecdhe_rsa_with_aes_128_gcm_sha256
is used for the older TLS 1.2. The first ciphersuite doesn't specify the key agreement algorithm and the authentication mechanism. Those are likely used, but they are specified / configured elsewhere in the TLS handshake.
TLS 1.3 is basically TLS-done-right; the two protocols aren't compatible, even if the last part of the ciphersuite matches. It can however use the same key agreement and authentication mechanisms (and thus the same server certificate and key).
To quote OpenSSL:
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for ctx. This is a simple colon (":") separated list of TLSv1.3 ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are:
TLS_AES_128_GCM_SHA256
OK, so we're talking TLS 1.3 here, let's look there:
Although TLS 1.3 uses the same cipher suite space as previous
versions of TLS, TLS 1.3 cipher suites are defined differently, only
specifying the symmetric ciphers, and cannot be used for TLS 1.2.
Similarly, cipher suites for TLS 1.2 and lower cannot be used with
TLS 1.3.
So we have two ciphersuites that are largely identical to the message encryption / authentication used. However, one is for TLS 1.2 and also specifies the key agreement and the other is specific to TLS 1.3 and only specifies the message encryption / authentication.
For TLS 1.3 the reason why the other components are not specified is that they are negotiated during the handshake. This makes TLS 1.3 more flexible as it doesn't seen to specify all possible combinations in the cipher suite. However, you should remind yourself that the ciphersuite is far from the only configuration parameter.
From TLS 1.3, section 4.1.1, Cryptographic Negotiation:
...
In TLS, the cryptographic negotiation proceeds by the client offering
the following four sets of options in its ClientHello:
A list of cipher suites which indicates the AEAD algorithm/HKDF
hash pairs which the client supports.
A "supported_groups" (Section 4.2.7) extension which indicates the
(EC)DHE groups which the client supports and a "key_share"
(Section 4.2.8) extension which contains (EC)DHE shares for some
or all of these groups.
A "signature_algorithms" (Section 4.2.3) extension which indicates
the signature algorithms which the client can accept. A
"signature_algorithms_cert" extension (Section 4.2.3) may also be
added to indicate certificate-specific signature algorithms.
...
so basically the ECDHE option is now in supported_groups
(DH is required for TLS 1.3) and RSA is in signature_algorithms
, if present.
Short explanation of the terms:
- tls : the protocol
- ecdhe : ephemeral-ephemeral elliptic curve diffie hellman for key agreement, which brings forward security
- rsa : signature algorithm when certificate authentication is used (for the server)
- aes-128 : cipher used for confidentiality
- gcm : authentication method for the messages (records)
- sha256 : hash algorithm used for the PRF (used for key derivation)
Note that TLS 1.3 uses HKDF instead of a proprietary HMAC based mechanism in TLS 1.2 for the PRF. So although the TLS 1.2 and 1.3 cipher suites you mention may use the same primitives, the protocols differ somewhat (as explained in the initial section of this answer).
add a comment |Â
up vote
1
down vote
As far as I know, DHE-RSA is Diffie Hellman with RSA signature.
ECDH is Elliptic-curve DiffieâÂÂHellman
add a comment |Â
up vote
1
down vote
tls_aes_128_gcm_sha256
TLS: protocol- Authenticated Encryption with Associated Data (AEAD) cipher mode : AES with 128 key GCM.
- Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), HKDF algorithm SHA256;
tls_ecdhe_rsa_with_aes_128_gcm_sha256
TLS: protocol
Key Exchange: ECDHE :
Authentication : RSA
AEAD Cipher Mode: AES_128_GCM
PRF Hash Algorithm : SHA256
add a comment |Â
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
The difference is that tls_aes_128_gcm_sha256
is TLS 1.3 and tls_ecdhe_rsa_with_aes_128_gcm_sha256
is used for the older TLS 1.2. The first ciphersuite doesn't specify the key agreement algorithm and the authentication mechanism. Those are likely used, but they are specified / configured elsewhere in the TLS handshake.
TLS 1.3 is basically TLS-done-right; the two protocols aren't compatible, even if the last part of the ciphersuite matches. It can however use the same key agreement and authentication mechanisms (and thus the same server certificate and key).
To quote OpenSSL:
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for ctx. This is a simple colon (":") separated list of TLSv1.3 ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are:
TLS_AES_128_GCM_SHA256
OK, so we're talking TLS 1.3 here, let's look there:
Although TLS 1.3 uses the same cipher suite space as previous
versions of TLS, TLS 1.3 cipher suites are defined differently, only
specifying the symmetric ciphers, and cannot be used for TLS 1.2.
Similarly, cipher suites for TLS 1.2 and lower cannot be used with
TLS 1.3.
So we have two ciphersuites that are largely identical to the message encryption / authentication used. However, one is for TLS 1.2 and also specifies the key agreement and the other is specific to TLS 1.3 and only specifies the message encryption / authentication.
For TLS 1.3 the reason why the other components are not specified is that they are negotiated during the handshake. This makes TLS 1.3 more flexible as it doesn't seen to specify all possible combinations in the cipher suite. However, you should remind yourself that the ciphersuite is far from the only configuration parameter.
From TLS 1.3, section 4.1.1, Cryptographic Negotiation:
...
In TLS, the cryptographic negotiation proceeds by the client offering
the following four sets of options in its ClientHello:
A list of cipher suites which indicates the AEAD algorithm/HKDF
hash pairs which the client supports.
A "supported_groups" (Section 4.2.7) extension which indicates the
(EC)DHE groups which the client supports and a "key_share"
(Section 4.2.8) extension which contains (EC)DHE shares for some
or all of these groups.
A "signature_algorithms" (Section 4.2.3) extension which indicates
the signature algorithms which the client can accept. A
"signature_algorithms_cert" extension (Section 4.2.3) may also be
added to indicate certificate-specific signature algorithms.
...
so basically the ECDHE option is now in supported_groups
(DH is required for TLS 1.3) and RSA is in signature_algorithms
, if present.
Short explanation of the terms:
- tls : the protocol
- ecdhe : ephemeral-ephemeral elliptic curve diffie hellman for key agreement, which brings forward security
- rsa : signature algorithm when certificate authentication is used (for the server)
- aes-128 : cipher used for confidentiality
- gcm : authentication method for the messages (records)
- sha256 : hash algorithm used for the PRF (used for key derivation)
Note that TLS 1.3 uses HKDF instead of a proprietary HMAC based mechanism in TLS 1.2 for the PRF. So although the TLS 1.2 and 1.3 cipher suites you mention may use the same primitives, the protocols differ somewhat (as explained in the initial section of this answer).
add a comment |Â
up vote
3
down vote
accepted
The difference is that tls_aes_128_gcm_sha256
is TLS 1.3 and tls_ecdhe_rsa_with_aes_128_gcm_sha256
is used for the older TLS 1.2. The first ciphersuite doesn't specify the key agreement algorithm and the authentication mechanism. Those are likely used, but they are specified / configured elsewhere in the TLS handshake.
TLS 1.3 is basically TLS-done-right; the two protocols aren't compatible, even if the last part of the ciphersuite matches. It can however use the same key agreement and authentication mechanisms (and thus the same server certificate and key).
To quote OpenSSL:
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for ctx. This is a simple colon (":") separated list of TLSv1.3 ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are:
TLS_AES_128_GCM_SHA256
OK, so we're talking TLS 1.3 here, let's look there:
Although TLS 1.3 uses the same cipher suite space as previous
versions of TLS, TLS 1.3 cipher suites are defined differently, only
specifying the symmetric ciphers, and cannot be used for TLS 1.2.
Similarly, cipher suites for TLS 1.2 and lower cannot be used with
TLS 1.3.
So we have two ciphersuites that are largely identical to the message encryption / authentication used. However, one is for TLS 1.2 and also specifies the key agreement and the other is specific to TLS 1.3 and only specifies the message encryption / authentication.
For TLS 1.3 the reason why the other components are not specified is that they are negotiated during the handshake. This makes TLS 1.3 more flexible as it doesn't seen to specify all possible combinations in the cipher suite. However, you should remind yourself that the ciphersuite is far from the only configuration parameter.
From TLS 1.3, section 4.1.1, Cryptographic Negotiation:
...
In TLS, the cryptographic negotiation proceeds by the client offering
the following four sets of options in its ClientHello:
A list of cipher suites which indicates the AEAD algorithm/HKDF
hash pairs which the client supports.
A "supported_groups" (Section 4.2.7) extension which indicates the
(EC)DHE groups which the client supports and a "key_share"
(Section 4.2.8) extension which contains (EC)DHE shares for some
or all of these groups.
A "signature_algorithms" (Section 4.2.3) extension which indicates
the signature algorithms which the client can accept. A
"signature_algorithms_cert" extension (Section 4.2.3) may also be
added to indicate certificate-specific signature algorithms.
...
so basically the ECDHE option is now in supported_groups
(DH is required for TLS 1.3) and RSA is in signature_algorithms
, if present.
Short explanation of the terms:
- tls : the protocol
- ecdhe : ephemeral-ephemeral elliptic curve diffie hellman for key agreement, which brings forward security
- rsa : signature algorithm when certificate authentication is used (for the server)
- aes-128 : cipher used for confidentiality
- gcm : authentication method for the messages (records)
- sha256 : hash algorithm used for the PRF (used for key derivation)
Note that TLS 1.3 uses HKDF instead of a proprietary HMAC based mechanism in TLS 1.2 for the PRF. So although the TLS 1.2 and 1.3 cipher suites you mention may use the same primitives, the protocols differ somewhat (as explained in the initial section of this answer).
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
The difference is that tls_aes_128_gcm_sha256
is TLS 1.3 and tls_ecdhe_rsa_with_aes_128_gcm_sha256
is used for the older TLS 1.2. The first ciphersuite doesn't specify the key agreement algorithm and the authentication mechanism. Those are likely used, but they are specified / configured elsewhere in the TLS handshake.
TLS 1.3 is basically TLS-done-right; the two protocols aren't compatible, even if the last part of the ciphersuite matches. It can however use the same key agreement and authentication mechanisms (and thus the same server certificate and key).
To quote OpenSSL:
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for ctx. This is a simple colon (":") separated list of TLSv1.3 ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are:
TLS_AES_128_GCM_SHA256
OK, so we're talking TLS 1.3 here, let's look there:
Although TLS 1.3 uses the same cipher suite space as previous
versions of TLS, TLS 1.3 cipher suites are defined differently, only
specifying the symmetric ciphers, and cannot be used for TLS 1.2.
Similarly, cipher suites for TLS 1.2 and lower cannot be used with
TLS 1.3.
So we have two ciphersuites that are largely identical to the message encryption / authentication used. However, one is for TLS 1.2 and also specifies the key agreement and the other is specific to TLS 1.3 and only specifies the message encryption / authentication.
For TLS 1.3 the reason why the other components are not specified is that they are negotiated during the handshake. This makes TLS 1.3 more flexible as it doesn't seen to specify all possible combinations in the cipher suite. However, you should remind yourself that the ciphersuite is far from the only configuration parameter.
From TLS 1.3, section 4.1.1, Cryptographic Negotiation:
...
In TLS, the cryptographic negotiation proceeds by the client offering
the following four sets of options in its ClientHello:
A list of cipher suites which indicates the AEAD algorithm/HKDF
hash pairs which the client supports.
A "supported_groups" (Section 4.2.7) extension which indicates the
(EC)DHE groups which the client supports and a "key_share"
(Section 4.2.8) extension which contains (EC)DHE shares for some
or all of these groups.
A "signature_algorithms" (Section 4.2.3) extension which indicates
the signature algorithms which the client can accept. A
"signature_algorithms_cert" extension (Section 4.2.3) may also be
added to indicate certificate-specific signature algorithms.
...
so basically the ECDHE option is now in supported_groups
(DH is required for TLS 1.3) and RSA is in signature_algorithms
, if present.
Short explanation of the terms:
- tls : the protocol
- ecdhe : ephemeral-ephemeral elliptic curve diffie hellman for key agreement, which brings forward security
- rsa : signature algorithm when certificate authentication is used (for the server)
- aes-128 : cipher used for confidentiality
- gcm : authentication method for the messages (records)
- sha256 : hash algorithm used for the PRF (used for key derivation)
Note that TLS 1.3 uses HKDF instead of a proprietary HMAC based mechanism in TLS 1.2 for the PRF. So although the TLS 1.2 and 1.3 cipher suites you mention may use the same primitives, the protocols differ somewhat (as explained in the initial section of this answer).
The difference is that tls_aes_128_gcm_sha256
is TLS 1.3 and tls_ecdhe_rsa_with_aes_128_gcm_sha256
is used for the older TLS 1.2. The first ciphersuite doesn't specify the key agreement algorithm and the authentication mechanism. Those are likely used, but they are specified / configured elsewhere in the TLS handshake.
TLS 1.3 is basically TLS-done-right; the two protocols aren't compatible, even if the last part of the ciphersuite matches. It can however use the same key agreement and authentication mechanisms (and thus the same server certificate and key).
To quote OpenSSL:
SSL_CTX_set_ciphersuites() is used to configure the available TLSv1.3 ciphersuites for ctx. This is a simple colon (":") separated list of TLSv1.3 ciphersuite names in order of perference. Valid TLSv1.3 ciphersuite names are:
TLS_AES_128_GCM_SHA256
OK, so we're talking TLS 1.3 here, let's look there:
Although TLS 1.3 uses the same cipher suite space as previous
versions of TLS, TLS 1.3 cipher suites are defined differently, only
specifying the symmetric ciphers, and cannot be used for TLS 1.2.
Similarly, cipher suites for TLS 1.2 and lower cannot be used with
TLS 1.3.
So we have two ciphersuites that are largely identical to the message encryption / authentication used. However, one is for TLS 1.2 and also specifies the key agreement and the other is specific to TLS 1.3 and only specifies the message encryption / authentication.
For TLS 1.3 the reason why the other components are not specified is that they are negotiated during the handshake. This makes TLS 1.3 more flexible as it doesn't seen to specify all possible combinations in the cipher suite. However, you should remind yourself that the ciphersuite is far from the only configuration parameter.
From TLS 1.3, section 4.1.1, Cryptographic Negotiation:
...
In TLS, the cryptographic negotiation proceeds by the client offering
the following four sets of options in its ClientHello:
A list of cipher suites which indicates the AEAD algorithm/HKDF
hash pairs which the client supports.
A "supported_groups" (Section 4.2.7) extension which indicates the
(EC)DHE groups which the client supports and a "key_share"
(Section 4.2.8) extension which contains (EC)DHE shares for some
or all of these groups.
A "signature_algorithms" (Section 4.2.3) extension which indicates
the signature algorithms which the client can accept. A
"signature_algorithms_cert" extension (Section 4.2.3) may also be
added to indicate certificate-specific signature algorithms.
...
so basically the ECDHE option is now in supported_groups
(DH is required for TLS 1.3) and RSA is in signature_algorithms
, if present.
Short explanation of the terms:
- tls : the protocol
- ecdhe : ephemeral-ephemeral elliptic curve diffie hellman for key agreement, which brings forward security
- rsa : signature algorithm when certificate authentication is used (for the server)
- aes-128 : cipher used for confidentiality
- gcm : authentication method for the messages (records)
- sha256 : hash algorithm used for the PRF (used for key derivation)
Note that TLS 1.3 uses HKDF instead of a proprietary HMAC based mechanism in TLS 1.2 for the PRF. So although the TLS 1.2 and 1.3 cipher suites you mention may use the same primitives, the protocols differ somewhat (as explained in the initial section of this answer).
edited 21 mins ago
answered 59 mins ago
Maarten Bodewes
48.6k569180
48.6k569180
add a comment |Â
add a comment |Â
up vote
1
down vote
As far as I know, DHE-RSA is Diffie Hellman with RSA signature.
ECDH is Elliptic-curve DiffieâÂÂHellman
add a comment |Â
up vote
1
down vote
As far as I know, DHE-RSA is Diffie Hellman with RSA signature.
ECDH is Elliptic-curve DiffieâÂÂHellman
add a comment |Â
up vote
1
down vote
up vote
1
down vote
As far as I know, DHE-RSA is Diffie Hellman with RSA signature.
ECDH is Elliptic-curve DiffieâÂÂHellman
As far as I know, DHE-RSA is Diffie Hellman with RSA signature.
ECDH is Elliptic-curve DiffieâÂÂHellman
answered 59 mins ago
zetaprime
34712
34712
add a comment |Â
add a comment |Â
up vote
1
down vote
tls_aes_128_gcm_sha256
TLS: protocol- Authenticated Encryption with Associated Data (AEAD) cipher mode : AES with 128 key GCM.
- Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), HKDF algorithm SHA256;
tls_ecdhe_rsa_with_aes_128_gcm_sha256
TLS: protocol
Key Exchange: ECDHE :
Authentication : RSA
AEAD Cipher Mode: AES_128_GCM
PRF Hash Algorithm : SHA256
add a comment |Â
up vote
1
down vote
tls_aes_128_gcm_sha256
TLS: protocol- Authenticated Encryption with Associated Data (AEAD) cipher mode : AES with 128 key GCM.
- Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), HKDF algorithm SHA256;
tls_ecdhe_rsa_with_aes_128_gcm_sha256
TLS: protocol
Key Exchange: ECDHE :
Authentication : RSA
AEAD Cipher Mode: AES_128_GCM
PRF Hash Algorithm : SHA256
add a comment |Â
up vote
1
down vote
up vote
1
down vote
tls_aes_128_gcm_sha256
TLS: protocol- Authenticated Encryption with Associated Data (AEAD) cipher mode : AES with 128 key GCM.
- Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), HKDF algorithm SHA256;
tls_ecdhe_rsa_with_aes_128_gcm_sha256
TLS: protocol
Key Exchange: ECDHE :
Authentication : RSA
AEAD Cipher Mode: AES_128_GCM
PRF Hash Algorithm : SHA256
tls_aes_128_gcm_sha256
TLS: protocol- Authenticated Encryption with Associated Data (AEAD) cipher mode : AES with 128 key GCM.
- Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF), HKDF algorithm SHA256;
tls_ecdhe_rsa_with_aes_128_gcm_sha256
TLS: protocol
Key Exchange: ECDHE :
Authentication : RSA
AEAD Cipher Mode: AES_128_GCM
PRF Hash Algorithm : SHA256
answered 58 mins ago
kelalaka
753214
753214
add a comment |Â
add a comment |Â
uma is a new contributor. Be nice, and check out our Code of Conduct.
uma is a new contributor. Be nice, and check out our Code of Conduct.
uma is a new contributor. Be nice, and check out our Code of Conduct.
uma is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62917%2fwhat-is-deferent-below-two-ciphersuites%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
What product are you using that supports those cipher suites?
â Artjom B.
1 hour ago
@ArtjomB. i examine those two when connect to two web site
â uma
1 hour ago
2
I guess the first one is for TLS 1.3 0-RTT.
â Artjom B.
1 hour ago
1
That's a pretty good guess :)
â Maarten Bodewes
59 mins ago