Cipher Suites in TLS/SSL (Schannel SSP)

A cipher suite is a set of cryptographic algorithms. The schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:

  • Key exchange
  • Bulk encryption
  • Message authentication

Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.

Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.

Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.

Developers specify these elements by using ALG_ID data types. For more information, see Specifying Schannel Ciphers and Cipher Strengths.

In earlier versions of Windows, TLS cipher suites and elliptical curves were configured by using a single string:

Diagram that shows a single string for a Cipher Suite.

Different Windows versions support different TLS cipher suites and priority order. See the corresponding Windows version for the default order in which they are chosen by the Microsoft Schannel Provider.

Windows 11, version 22H2: For information about supported cipher suites, see TLS Cipher Suites in Windows 11 v22H2

Windows 11: For information about supported cipher suites, see TLS Cipher Suites in Windows 11

Windows Server 2022: For information about supported cipher suites, see TLS Cipher Suites in Windows Server 2022

Windows 10, version 22H2: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v22H2

Windows 10, versions 20H2, 21H1, and 21H2: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v20H2, v21H1, and v21H2

Windows 10, version 1903: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1903

Windows Server 2019 and Windows 10, version 1809: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1809

Windows 10, version 1803: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1803

Windows 10, version 1709: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1709

Windows 10, version 1703: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1703

Windows Server 2016 and Windows 10, version 1607: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1607

Windows 10, version 1511: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1511

Windows 10, version 1507: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1507

Windows Server 2012 R2 and Windows 8.1: For information about supported cipher suites, see TLS Cipher Suites in Windows 8.1

Windows Server 2012 and Windows 8: For information about supported cipher suites, see TLS Cipher Suites in Windows 8

Windows Server 2008 R2 and Windows 7: For information about supported cipher suites, see TLS Cipher Suites in Windows 7

Windows Server 2008 and Windows Vista: For information about supported cipher suites, see TLS Cipher Suites in Windows Vista

Note

Prior to Windows 10, cipher suite strings were appended with the elliptic curve to determine the curve priority. Windows 10 supports an elliptic curve priority order setting so the elliptic curve suffix is not required and is overridden by the new elliptic curve priority order, when provided, to allow organizations to use group policy to configure different versions of Windows with the same cipher suites.