TLS 1.3 has huge clean up after failures. We have only 5 cipher suites in TLS 1.3, with their IDs:
{0x13,0x01}
- TLS_AES_256_GCM_SHA384
{0x13,0x02}
- TLS_CHACHA20_POLY1305_SHA256
{0x13,0x03}
- TLS_AES_128_GCM_SHA256
{0x13,0x04}
- TLS_AES_128_CCM_8_SHA256
{0x13,0x05}
- TLS_AES_128_CCM_SHA256
As of current RFC 8446:
A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256 [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384 [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites
All of these cipher suites are using CTR mode, AES is Pseudo-Random Permutation (PRP), and Chacha20 is Pseudo-Random Function (PRF); as a result, ChaCha20 is better for CTR mode like any PRF.
AES-256 is the golden standard and approved by NIST and it is Quantum secure (Grover's algorithm) (ChaCha secure against QC, too). AES has CPU instruction known as Intel's AES-NI. Intel also added PCLMULQDQ
instruction as of 2014 to increase the GCM's performance, therefore we will see it more than the others.
- GCM (Galois Counter Mode) is the most used one*.
- CCM is a preferred mode constrained environments.
- ChaCha20-Poly1305 is preferred by Google and it is immune to timing attacks by design.
Note that, in software, ChaCha20 beats AES and this is not a surprise since it is designed to be CPU-friendly.
*GCM is hard to use correctly, there are many pitfalls.