A cipher suite is a set of cryptographic algorithms. Schannel protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:
- Key exchange
- Bulk encryption
- Message authentication
Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.
Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.
Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.
Developers specify these elements by using
ALG_ID data types. For more information, see
Specifying Schannel Ciphers and Cipher Strengths.
Schannel supports the following cipher suites. The suites are listed in the default order in which they are chosen by the Microsoft Schannel Provider.
| Cipher suite | FIPS mode enabled | Exchange | Encryption | Hash | Protocols |
|---|
| TLS_RSA_WITH_AES_128_CBC_SHA | Yes | RSA | AES | SHA1 | TLS 1.0 |
| TLS_RSA_WITH_AES_256_CBC_SHA | Yes | RSA | AES | SHA1 | TLS 1.0 |
| TLS_RSA_WITH_RC4_128_SHA | No | RSA | RC4 | SHA1 | TLS 1.0, SSL 3.0 |
| TLS_RSA_WITH_3DES_EDE_CBC_SHA | Yes | RSA | 3DES | SHA1 | TLS 1.0, SSL 3.0 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 | Yes | ECDH_P256 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 | Yes | ECDH_P384 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 | Yes | ECDH_P521 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 | Yes | ECDH_P256 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 | Yes | ECDH_P384 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 | Yes | ECDH_P521 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 | Yes | ECDH_P256 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 | Yes | ECDH_P384 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 | Yes | ECDH_P521 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 | Yes | ECDH_P256 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 | Yes | ECDH_P384 | AES | SHA1 | TLS 1.0 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 | Yes | ECDH_P521 | AES | SHA1 | TLS 1.0 |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | Yes | DH | AES | SHA1 | TLS 1.0 |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | Yes | DH | AES | SHA1 | TLS 1.0 |
| TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA | Yes | DH | 3DES | SHA1 | TLS 1.0, SSL 3.0 |
| TLS_RSA_WITH_RC4_128_MD5 | No | RSA | RC4 | MD5 | TLS 1.0, SSL 3.0 |
| SSL_CK_RC4_128_WITH_MD5 | No | RSA | RC4 | MD5 | SSL 2.0 |
| SSL_CK_DES_192_EDE3_CBC_WITH_MD5 | No | RSA | 3DES | MD5 | SSL 2.0 |
| TLS_RSA_WITH_NULL_MD5 | No | RSA | | MD5 | TLS 1.0, SSL 3.0 |
| TLS_RSA_WITH_NULL_SHA | No | RSA | | SHA1 | TLS 1.0, SSL 3.0 |
The following cipher suites are supported by Schannel; however, they are not present by default. They must be added as necessary. For information about how to add cipher suites to the Schannel provider, see Prioritizing Schannel Cipher Suites.
- TLS_RSA_EXPORT_WITH_RC4_40_MD5
- TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
- TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
- SSL_CK_RC4_128_EXPORT40_MD5
- SSL_CK_DES_64_CBC_WITH_MD5
- TLS_RSA_WITH_DES_CBC_SHA
- TLS_RSA_WITH_NULL_MD5
- TLS_RSA_WITH_NULL_SHA
- TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
- TLS_DHE_DSS_WITH_DES_CBC_SHA
Windows Server 2003, Windows XP, and Windows 2000: For information about supported cipher suites, see the following topics.
| Topic | Description |
|---|
| TLS Cipher Suites | Information about the cipher suites available with the TLS protocol in Windows Server 2003, Windows XP, and Windows 2000. |
| Secure Sockets Layer Protocol | General information about SSL 2.0 and 3.0, including the available cipher suites in Windows Server 2003, Windows XP, and Windows 2000. |
Send comments about this topic to Microsoft
Build date: 6/26/2009