Cipher used for request data encryption used by browser

  1. The browser will generate a session key and encrypt it using server's public key. But which encryption algorithm (or commonly called as cipher algorithm) will be used by the browser?
    • How is cipher selection determined, and will browser and server both use the same cipher/key size for encryption and decryption?

The browser will send a list of cipher suites to the server that it supports. This answer will explain what a cipher suite is in detail, but basically a cipher suite is a list of algorithms to use for the secure communication. A cipher suite contains:

  • TLS Version
  • Key Exchange Algorithm
  • Signing Algorithm
  • Symmetric Encryption Algorithm
  • Integrity Algorithm

For example: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

The browser sends a list of supported cipher suites to the server, and the server chooses the most secure cipher suite that it supports. If it doesn't support any in the list then the connection fails. The symmetric encryption algorithm is what the session key is used for. In SSL/TLS, keys are generated from the pre-master secret.

  1. Once SSL handshake is completed, all communication will be encrypted using the symmetric session key, but again which encryption algorithm will be used by the browser?

Again, the symmetric algorithm in the cipher suite will be used for the encrypted communication. In the example above it would be 128-bit AES in GCM mode.

  1. Is the encryption algorithm used by browser in any way dependant upon certificate received from server?
    • Or is all encryption performed by the browser performed with the same cipher algorithm?

It is in no way dependent on the certificate. All encryption is performed by the symmetric encryption algorithm in the cipher suite chosen by the server.

  1. Please correct me if I am wrong, the algorithm or cipher information is also present in the certificate? How does that information stored in the certificate?
    • While generating the certificate do I need to state which algorithm, how many bits encryption, padding etc.?

The algorithm and cipher for the secure communication is not in the certificate, but as stated above within the cipher suite chosen by the server. The certificate only contains information relating to the certificate itself. Which includes, but not limited to, validity information, signing algorithm, issuer information etc.

Based on the above answer I will have the most important question - suppose I am providing my server's private key to somebody so that he can monitor the SSL traffic for my server, then apart from providing him the private key what all other things I need to take care. And do I need to tell him the algorithm or cipher I am using at server?

I would highly recommend not providing your server's private key for SSL traffic monitoring (for reasons outside the scope of this question). However, if you do decide to share your private key the other party doesn't need any other information. As the algorithm and cipher are not included in the certificate.


Super short answer: The server and client negotiate what algorithm they support and subsequently use. It is communicated during the handshake.