Cipher suites play an integral part in establishing secure communications between a client and server using the SSL/TLS protocol. Cipher suites determine the ciphers to be used, the key exchange algorithms as well as message authentication codes.
The SSL protocol uses a combination of public-key and symmetric key encryption. Symmetric key encryption is much faster than public-key encryption, but public-key encryption provides better authentication techniques.
DETAILS
Introduction
An SSL session always begins with an exchange of messages called the SSL handshake. The handshake allows the server to authenticate itself to the client using public-key techniques, then allows the client and the server to cooperate in the creation of symmetric keys used for rapid encryption, decryption, and tamper detection during the session that follows.
The client presents a list of cipher suites it supports but the server makes the final decision as to which cipher suite will be used. The server is limited to choosing from the presented list of cipher suites.
Cipher Suite Composition
A Cipher Suite is composed of the following:
Encryption
Block Cipher
RC2
DES
Triple-DES
Stream Cipher
RC4
Hash Function
SHA or SHA1
MD5
Cipher Spec examples
NULL_MD5
NULL_SHA
RC4_MD5_EXPORT
RC2_MD5_EXPORT
DES_MD5_EXPORT
DES_SHA_EXPORT
TRIPLE_DES_MD5_EXPORT
Encryption + Hash Function ===> Cipher Spec
Cipher Spec + Authentication/Key Exchange ===> Cipher Suite
As stated above, the Cipher Suite is a combination of the following four attributes:
Key Exchange Algorithm:
RSA or Diffie-Hellman variants.
Authentication Algorithm:
RSA, Diffie-Hellman, DSS or none.
Cipher/Encryption Algorithm:
DES, Triple-DES, RC4, RC2, IDEA or none.
MAC Digest (Hash) Algorithm:
MD5, SHA or SHA1.
Definition
We can now define Cipher Suite as: A cipher suite is a named combination of authentication, encryption, and message authentication code (MAC) algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) or Secure Sockets Layer (SSL) network protocol.
Cipher Suite Strength
Cipher suites are available that provide a variety of different encryption "strengths." The strongest cipher suites for example provide Advanced Encryption Standard (AES) which supports 128- or 256-bit encryption, or Triple DES (3DES) which provides 168-bit encryption. On the other hand the weakest, for example, provide no encryption and weaker message authentication.
How to enable 256 bit encryption (Strongest Cipher Suite) in WebLogic Server
WebLogic Server 12.1 supports various Cipher Suites supported by the JDK-default JSSE provider. For backward compatibility, the JSSE-based SSL implementation accepts Certicom cipher suite names for cipher suites that are compatible with SunJSSE provider. However Oracle does not encourage future use of Certicom cipher suite names.
The set of cipher suites supported by the JDK-default JSSE provider, SunJSSE, is available at http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html.
With JSSE, the cipher suites selected by default are stronger as compared to Certicom SSL and have slower performance. Also by default the anonymous and strongest Cipher Suites are disabled.
If we want to use the strongest Cipher suites (256 bit encryption) like AES_256 (TLS_RSA_WITH_AES_256_CBC_SHA), we have to install the unlimited encryption JCE policy. It is dependent on the JDK version.
Using the following URL, download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files that correspond to the version of your JDK: http://www.oracle.com/technetwork/java/javase/downloads/index.html.
In order to enable the specific Cipher Suite to use we need to configure the <ciphersuite> element in the <ssl> element in the DOMAIN_HOME/config/config.xml file, as follows:
<ssl>
<name>examplesServer</name>
<enabled>true</enabled>
<listen-port>7002</listen-port>
<ciphersuite> TLS_RSA_WITH_AES_256_CBC_SHA </ciphersuite>
...
</ssl>