Cipher Suites in TLS/SSL (Schannel SSP)
A cipher suite is a set of cryptographic algorithms. The schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:
- Key exchange
- Bulk encryption
- Message authentication
Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.
Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.
Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.
Developers specify these elements by using ALG_ID data types. For more information, see Specifying Schannel Ciphers and Cipher Strengths.
In earlier versions of Windows, TLS cipher suites and elliptical curves were configured by using a single string:
Different Windows versions support different TLS cipher suites and priority order. See the corresponding Windows version for the default order in which they are chosen by the Microsoft Schannel Provider.
Windows 11, version 22H2 and later: For information about supported cipher suites, see TLS Cipher Suites in Windows 11 v22H2 and later
Windows 11: For information about supported cipher suites, see TLS Cipher Suites in Windows 11
Windows Server 2022 and later: For information about supported cipher suites, see TLS Cipher Suites in Windows Server 2022 and later
Windows 10, version 22H2: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v22H2
Windows 10, versions 20H2, 21H1, and 21H2: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v20H2, v21H1, and v21H2
Windows 10, version 1903: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1903
Windows Server 2019 and Windows 10, version 1809: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1809
Windows 10, version 1803: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1803
Windows 10, version 1709: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1709
Windows 10, version 1703: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1703
Windows Server 2016 and Windows 10, version 1607: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1607
Windows 10, version 1511: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1511
Windows 10, version 1507: For information about supported cipher suites, see TLS Cipher Suites in Windows 10 v1507
Windows Server 2012 R2 and Windows 8.1: For information about supported cipher suites, see TLS Cipher Suites in Windows 8.1
Windows Server 2012 and Windows 8: For information about supported cipher suites, see TLS Cipher Suites in Windows 8
Windows Server 2008 R2 and Windows 7: For information about supported cipher suites, see TLS Cipher Suites in Windows 7
Windows Server 2008 and Windows Vista: For information about supported cipher suites, see TLS Cipher Suites in Windows Vista
Note
Prior to Windows 10, cipher suite strings were appended with the elliptic curve to determine the curve priority. Windows 10 supports an elliptic curve priority order setting so the elliptic curve suffix is not required and is overridden by the new elliptic curve priority order, when provided, to allow organizations to use group policy to configure different versions of Windows with the same cipher suites.