Export (0) Print
Expand All
12 out of 20 rated this helpful - Rate this topic

Cipher Suites in Schannel

A cipher suite is a set of cryptographic algorithms. Schannel protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:

  • Key exchange
  • Bulk encryption
  • Message authentication

Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.

Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.

Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.

Developers specify these elements by using ALG_ID data types. For more information, see Specifying Schannel Ciphers and Cipher Strengths.

Schannel supports the following cipher suites. The suites are listed in the default order in which they are chosen by the Microsoft Schannel Provider.

Cipher suiteFIPS mode enabledProtocolsExchangeEncryptionHash

TLS_RSA_WITH_AES_128_CBC_SHA256

Yes

TLS 1.2

RSA

AES

SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

RSA

AES

SHA1

TLS_RSA_WITH_AES_256_CBC_SHA256

Yes

TLS 1.2

RSA

AES

SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

RSA

AES

SHA1

TLS_RSA_WITH_RC4_128_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

RSA

RC4

SHA1

TLS_RSA_WITH_3DES_EDE_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

RSA

3DES

SHA1

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256

Yes

TLS 1.2

ECDH_P256

AES

SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384

Yes

TLS 1.2

ECDH_P384

AES

SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P256

AES

SHA1

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P384

AES

SHA1

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P256

AES

SHA1

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P384

AES

SHA1

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256

Yes

TLS 1.2

ECDH_P256

AES

SHA256

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384

Yes

TLS 1.2

ECDH_P384

AES

SHA384

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256

Yes

TLS 1.2

ECDH_P256

AES

SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P256

AES

SHA1

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P384

AES

SHA1

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P256

AES

SHA1

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384

Yes

TLS 1.2, TLS 1.1, TLS 1.0

ECDH_P384

AES

SHA1

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384

Yes

TLS 1.2

ECDH_P384

AES

SHA384

TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

Yes

TLS 1.2

DH

AES

SHA256

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

DH

AES

SHA1

TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Yes

TLS 1.2

DH

AES

SHA256

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0

DH

AES

SHA1

TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

Yes

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

DH

3DES

SHA1

TLS_RSA_WITH_RC4_128_MD5

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

RSA

RC4

MD5

SSL_CK_RC4_128_WITH_MD5

No

SSL 2.0

RSA

RC4

MD5

SSL_CK_DES_192_EDE3_CBC_WITH_MD5

No

SSL 2.0

RSA

3DES

MD5

TLS_RSA_WITH_NULL_SHA256

No

TLS 1.2

RSA

NULL

SHA256

TLS_RSA_WITH_NULL_SHA

No

TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0

RSA

NULL

SHA1

 

The following cipher suites are supported by Schannel; however, they are not present by default. They must be added as necessary. For information about how to add cipher suites to the Schannel provider, see Prioritizing Schannel Cipher Suites.

  • TLS_RSA_EXPORT_WITH_RC4_40_MD5
  • TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
  • TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
  • SSL_CK_RC4_128_EXPORT40_MD5
  • SSL_CK_DES_64_CBC_WITH_MD5
  • TLS_RSA_WITH_DES_CBC_SHA
  • TLS_RSA_WITH_NULL_MD5
  • TLS_RSA_WITH_NULL_SHA
  • TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
  • TLS_DHE_DSS_WITH_DES_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521

Windows Server 2008 and Windows Vista:  For information about supported cipher suites in Windows Vista, see Schannel Cipher Suites in Windows Vista.

Windows Server 2003 and Windows XP:  For information about supported cipher suites, see the following topics.

TopicDescription

TLS Cipher Suites

Information about the cipher suites available with the TLS protocol in Windows Server 2003 and Windows XP.

Secure Sockets Layer Protocol

General information about SSL 2.0 and 3.0, including the available cipher suites in Windows Server 2003 and Windows XP.

 

 

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.