CipherSpecs and CipherSuites

Cryptographic security protocols must agree on the algorithms used by a secure connection. CipherSpecs and CipherSuites define specific combinations of algorithms.

A CipherSpec identifies a combination of encryption algorithm and Message Authentication Code (MAC) algorithm. Both ends of a TLS, or SSL, connection must agree on the same CipherSpec to be able to communicate.

Important: When dealing with IBM® WebSphere® MQ channels, you use a CipherSpec. When dealing with Javachannels, JMS channels, or MQTT channels you specify a CipherSuite.

For more information about CipherSpecs, see Specifying CipherSpecs.

A CipherSuite is a suite of cryptographic algorithms used by an SSL or TLS connection. A suite comprises three distinct algorithms:

The key exchange and authentication algorithm, used during the handshake
The encryption algorithm, used to encipher the data
The MAC (Message Authentication Code) algorithm, used to generate the message digest

There are several options for each component of the suite, but only certain combinations are valid when specified for a TLS or SSL connection. The name of a valid CipherSuite defines the combination of algorithms used. For example, the CipherSuite SSL_RSA_WITH_RC4_128_MD5 specifies:

The RSA key exchange and authentication algorithm
The RC4 encryption algorithm, using a 128-bit key
The MD5 MAC algorithm

Several algorithms are available for key exchange and authentication, but the RSA algorithm is currently the most widely used. There is more variety in the encryption algorithms and MAC algorithms that are used.