18.1 Symmetric cipher suites in TLS 1.3
TLS 1.3 specifies a set of so-called symmetric cipher suites that Alice and Bob can use to protect the data transmitted via the TLS Record protocol. Each symmetric cipher suite is a pair composed of two cryptographic algorithms:
- An AEAD algorithm used for protecting the confidentiality and integrity of TLS records
- A hash algorithm used within the HKDF function to derive TLS secrets and shared keys
The name of a TLS symmetric cipher suite starts with the string TLS and has the following format:
TLS_<AEAD algorithm>_<Hash algorithm>
where ¡AEAD algorithm and ¡Hash algorithm¿ are placeholders for specific algorithms. In addition, every cipher suite has a unique 2-byte identification value associated with it.
Table 18.1 shows the symmetric cipher suites that Alice and Bob can use according to the TLS 1.3 standard.
| Cipher suite | 2-byte identifier |
| TLS˙AES˙128˙GCM˙SHA256 | 0x13,0x01 |
| TLS˙AES˙256˙GCM˙SHA384 | 0x13,0x02 |
| TLS˙CHACHA20˙POLY1305˙SHA256 | 0x13,0x03 |
| TLS˙AES˙128˙CCM˙SHA256 | 0x13,0x04 |
| TLS˙AES˙128˙CCM˙8˙SHA256 | 0x13,0x05 |
Table 18.1: Symmetric cipher suites specified in the TLS 1.3 standard.
AEAD algorithms AEAD˙AES˙128˙GCM, AEAD˙AES˙256˙GCM, and AEAD˙AES˙128˙CCM are defined in RFC 5116. The algorithm AEAD˙AES˙128˙CCM˙8 is defined in RFC 6655. The hash algorithms are specified in National Institute of Standards and Technology (NIST) [129].
18.2 Long-term security
In his famous book The Cathedral and the Bazaar [144], the American software developer and open-source advocate Eric Raymond coined the phrase that ”given enough eyeballs, all bugs are shallow”. Raymond used the phrase – which later became known as the Linus Law in honor of Linus Torvalds – to highlight the benefits of the open-source development model, where the peer review conducted by a large developer community is very effective in identifying and fixing software bugs.
As discussed in Chapter 14, Block Ciphers and Their Modes of Operation, the AES algorithm was chosen in a worldwide public contest where the entire cryptographic community was able to submit their own proposals and find cryptographic flaws and weaknesses in others. The candidates’ algorithms were scrutinized by dozens of world-class cryptographers and leading experts in their respective sub-fields, and this type of contest for selecting cryptographic algorithms to be standardized has become a best practice.
Experts from academia, industry, and national security agencies have carefully investigated any potential weakness that AES might have, yet found nothing practically relevant. Had someone managed to discover a practically-relevant cryptographic flaw in AES after the standard was announced by FIPS, they would have immediately received at least a tenure-track professorship, and certainly a prominent place in the cryptography community’s hall of fame. Yet, more than 20 years after AES introduction, no one has found a serious security vulnerability in that block cipher.
Given all these facts, we can say for sure that AES is the gold standard! So, a natural question to ask is: why does TLS 1.3 specify a cipher suite with ChaCha20, a second block cipher? The reason, it turns out, is to have a single standby cipher that will be ready for adoption as an AES replacement if future advances in cryptanalysis uncover a serious cryptographic weakness in AES.