Score:2

Which block cipher mode of operation does TLS 1.3 use?

cl flag

Which block cipher mode of operation does TLS 1.3 use? I assume it is a block cipher mode that provides authentication (like GCM).

kelalaka avatar
in flag
Which version are we talking about?
Yotam Sofer avatar
cl flag
Latest - TLS 1.3
Maarten Bodewes avatar
in flag
Hi Yotam. A few hints: you may receive downvotes if the standard directly specifies what you are looking for; replicating all information in the standard is generally not considered useful - especially since RFC's are freely available. If you have additional information, e.g. after a comment then please [edit] them into your question instead of using comments (you may want to comment to notify the requester though).
Yotam Sofer avatar
cl flag
Thanks! got it (:
Score:13
in flag

TLS 1.3 has huge clean up after failures. We have only 5 cipher suites in TLS 1.3, with their IDs:

  • {0x13,0x01} - TLS_AES_256_GCM_SHA384
  • {0x13,0x02} - TLS_CHACHA20_POLY1305_SHA256
  • {0x13,0x03} - TLS_AES_128_GCM_SHA256
  • {0x13,0x04} - TLS_AES_128_CCM_8_SHA256
  • {0x13,0x05} - TLS_AES_128_CCM_SHA256

As of current RFC 8446:

A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites

All of these cipher suites are using CTR mode, AES is Pseudo-Random Permutation (PRP), and Chacha20 is Pseudo-Random Function (PRF); as a result, ChaCha20 is better for CTR mode like any PRF.

AES-256 is the golden standard and approved by NIST and it is Quantum secure (Grover's algorithm) (ChaCha secure against QC, too). AES has CPU instruction known as Intel's AES-NI. Intel also added PCLMULQDQ instruction as of 2014 to increase the GCM's performance, therefore we will see it more than the others.

  • GCM (Galois Counter Mode) is the most used one*.
  • CCM is a preferred mode constrained environments.
  • ChaCha20-Poly1305 is preferred by Google and it is immune to timing attacks by design.

Note that, in software, ChaCha20 beats AES and this is not a surprise since it is designed to be CPU-friendly.


*GCM is hard to use correctly, there are many pitfalls.

Score:7
ru flag

TLS permits a very long list of cipher suites. Not every implementation will support every cipher suite. Every implementation of TLS 1.3 is required to implement AES-128-GCM-SHA256, with AES-256-GCM-SHA384 and CHACHA20-Poly1305-SHA256 encouraged. Note that ChaCha20 usually just operates as a stream cipher, so it doesn't require a block mode.

Which cipher is actually used by your connection will depend on the configuration of the two peers, but it should always be possible to settle on one of the mandatory suites. Usage statistics show that the most common usage is AES256-GCM-SHA384.

kelalaka avatar
in flag
rfc8446.html#section-9.1: A TLS-compliant application **MUST** implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and **SHOULD** implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
Daniel S avatar
ru flag
@kelalaka Many thanks. I have edited the answer accordingly.
dave_thompson_085 avatar
cn flag
Nearly all of the long list of ciphersuites are for 1.2, or lower in many but not all cases, not 1.3. 1.3 can _only_ use the suites defined (newly) for it. (Though a ClientHello that offers both 1.3 and lower can and should have both types of suites in its list.)
Daniel S avatar
ru flag
@dave_thompson_085 True, but the original question did not stipulate 1.3. I don’t know if 1.3 adoption is [still depressingly slow](https://sansorg.egnyte.com/dl/SQCPKwqCTi) but a lot of those ciphers could still be out there.
kelalaka avatar
in flag
@dave_thompson_085 I've changed the question asked to OP, then according to answer, modified the question. Without it, it was to brood.
kelalaka avatar
in flag
According to [SSLabs](https://www.ssllabs.com/ssl-pulse/) almost half can support 1.3
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.