Next: , Up: The TLS record protocol   [Contents][Index]


3.3.1 Encryption algorithms used in the record layer

Confidentiality in the record layer is achieved by using symmetric ciphers like AES or CHACHA20. Ciphers are encryption algorithms that use a single, secret, key to encrypt and decrypt data. Early versions of TLS separated between block and stream ciphers and had message authentication plugged in to them by the protocol, though later versions switched to using authenticated-encryption (AEAD) ciphers. The AEAD ciphers are defined to combine encryption and authentication, and as such they are not only more efficient, as the primitives used are designed to interoperate nicely, but they are also known to interoperate in a secure way.

The supported in GnuTLS ciphers and MAC algorithms are shown in Table 3.1 and Table 3.2.

AlgorithmTypeApplicable ProtocolsDescription
AES-128-GCM, AES-256-GCMAEADTLS 1.2, TLS 1.3This is the AES algorithm in the authenticated encryption GCM mode. This mode combines message authentication and encryption and can be extremely fast on CPUs that support hardware acceleration.
AES-128-CCM, AES-256-CCMAEADTLS 1.2, TLS 1.3This is the AES algorithm in the authenticated encryption CCM mode. This mode combines message authentication and encryption and is often used by systems without AES or GCM acceleration support.
CHACHA20-POLY1305AEADTLS 1.2, TLS 1.3CHACHA20-POLY1305 is an authenticated encryption algorithm based on CHACHA20 cipher and POLY1305 MAC. CHACHA20 is a refinement of SALSA20 algorithm, an approved cipher by the European ESTREAM project. POLY1305 is Wegman-Carter, one-time authenticator. The combination provides a fast stream cipher suitable for systems where a hardware AES accelerator is not available.
AES-128-CCM-8, AES-256-CCM-8AEADTLS 1.2, TLS 1.3This is the AES algorithm in the authenticated encryption CCM mode with a truncated to 64-bit authentication tag. This mode is for communication with restricted systems.
CAMELLIA-128-GCM, CAMELLIA-256-GCMAEADTLS 1.2This is the CAMELLIA algorithm in the authenticated encryption GCM mode.
AES-128-CBC, AES-256-CBCLegacy (block)TLS 1.0, TLS 1.1, TLS 1.2AES or RIJNDAEL is the block cipher algorithm that replaces the old DES algorithm. It has 128 bits block size and is used in CBC mode.
CAMELLIA-128-CBC, CAMELLIA-256-CBCLegacy (block)TLS 1.0, TLS 1.1, TLS 1.2This is an 128-bit block cipher developed by Mitsubishi and NTT. It is one of the approved ciphers of the European NESSIE and Japanese CRYPTREC projects.
3DES-CBCLegacy (block)TLS 1.0, TLS 1.1, TLS 1.2This is the DES block cipher algorithm used with triple encryption (EDE). Has 64 bits block size and is used in CBC mode.
ARCFOUR-128Legacy (stream)TLS 1.0, TLS 1.1, TLS 1.2ARCFOUR-128 is a compatible algorithm with RSA’s RC4 algorithm, which is considered to be a trade secret. It is a considered to be broken, and is only used for compatibility purposed. For this reason it is not enabled by default.
GOST28147-TC26Z-CNTLegacy (stream)TLS 1.2This is a 64-bit block cipher GOST 28147-89 with TC26Z S-Box working in CNT mode. It is one of the approved ciphers in Russia. It is not enabled by default.
NULLLegacy (stream)TLS 1.0, TLS 1.1, TLS 1.2NULL is the empty/identity cipher which doesn’t encrypt any data. It can be combined with data authentication under TLS 1.2 or earlier, but is only used transiently under TLS 1.3 until encryption starts. This cipher cannot be negotiated by default (need to be explicitly enabled) under TLS 1.2, and cannot be negotiated at all under TLS 1.3. When enabled, TLS 1.3 (or later) support will be implicitly disabled.

Table 3.1: Supported ciphers in TLS.

AlgorithmDescription
MAC-MD5This is an HMAC based on MD5 a cryptographic hash algorithm designed by Ron Rivest. Outputs 128 bits of data.
MAC-SHA1An HMAC based on the SHA1 cryptographic hash algorithm designed by NSA. Outputs 160 bits of data.
MAC-SHA256An HMAC based on SHA2-256. Outputs 256 bits of data.
MAC-SHA384An HMAC based on SHA2-384. Outputs 384 bits of data.
GOST28147-TC26Z-IMITThis is a 64-bit block cipher GOST 28147-89 with TC26Z S-Box working in special MAC mode called Imitovstavks. It is one of the approved MAC algorithms in Russia. Outputs 32 bits of data. It is not enabled by default.
MAC-AEADThis indicates that an authenticated encryption algorithm, such as GCM, is in use.

Table 3.2: Supported MAC algorithms in TLS.


Next: , Up: The TLS record protocol   [Contents][Index]