4

Which block cipher mode of operation does TLS 1.3 use? I assume it is a block cipher mode that provides authentication (like GCM).

kelalaka
  • 49,797
  • 12
  • 123
  • 211
Abra Cadabra
  • 117
  • 1
  • 6

2 Answers2

17

TLS 1.3 has huge clean up after failures. We have only 5 cipher suites in TLS 1.3, with their IDs:

  • {0x13,0x01} - TLS_AES_256_GCM_SHA384
  • {0x13,0x02} - TLS_CHACHA20_POLY1305_SHA256
  • {0x13,0x03} - TLS_AES_128_GCM_SHA256
  • {0x13,0x04} - TLS_AES_128_CCM_8_SHA256
  • {0x13,0x05} - TLS_AES_128_CCM_SHA256

As of current RFC 8446:

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites

All of these cipher suites are using CTR mode, AES is Pseudo-Random Permutation (PRP), and Chacha20 is Pseudo-Random Function (PRF); as a result, ChaCha20 is better for CTR mode like any PRF.

AES-256 is the golden standard and approved by NIST and it is Quantum secure (Grover's algorithm) (ChaCha secure against QC, too). AES has CPU instruction known as Intel's AES-NI. Intel also added PCLMULQDQ instruction as of 2014 to increase the GCM's performance, therefore we will see it more than the others.

  • GCM (Galois Counter Mode) is the most used one*.
  • CCM is a preferred mode constrained environments.
  • ChaCha20-Poly1305 is preferred by Google and it is immune to timing attacks by design.

Note that, in software, ChaCha20 beats AES and this is not a surprise since it is designed to be CPU-friendly.

*GCM is hard to use correctly, there are many pitfalls.

Nayuki
  • 232
  • 2
  • 10
kelalaka
  • 49,797
  • 12
  • 123
  • 211
7

TLS permits a very long list of cipher suites. Not every implementation will support every cipher suite. Every implementation of TLS 1.3 is required to implement AES-128-GCM-SHA256, with AES-256-GCM-SHA384 and CHACHA20-Poly1305-SHA256 encouraged. Note that ChaCha20 usually just operates as a stream cipher, so it doesn't require a block mode.

Which cipher is actually used by your connection will depend on the configuration of the two peers, but it should always be possible to settle on one of the mandatory suites. Usage statistics show that the most common usage is AES256-GCM-SHA384.

Daniel S
  • 29,316
  • 1
  • 33
  • 73