How does it work?
During the handshake of a connection, when the client and server exchange information, the web server and browser compare their prioritized lists of supported cipher suites, see if they are compatible, and determine which cipher suite to use.
The decision on which cipher suite will be used depends on the web server. The agreed cipher suite is a combination of:
- Key exchange algorithms, such as RSA, DH, ECDH, DHE, ECDHE, or PSK
- Authentication/Digital Signature Algorithm, like RSA, ECDSA, or DSA
- Bulk encryption algorithms, like AES, CHACHA20, Camellia, or ARIA
- Message Authentication Code algorithms, such as SHA-256, and POLY1305
Going back to our cipher suite paradigm, let’s see what information a cipher suite provides.
Starting from left to right, ECDHE determines that during the handshake the keys will be exchanged via ephemeral Elliptic Curve Diffie Hellman (ECDHE). ECDSA or Elliptic Curve Digital Signature Algorithm is the authentication algorithm. AES128-GCM is the bulk encryption algorithm: AES running Galois Counter Mode with 128-bit key size. Finally, SHA-256 is the hashing algorithm.