What AES ciphers to use between CBC, GCM, CCM, Chacha-Poly?


TL;DR If you only have 5 seconds to pick only one, go with AES-GCM. Most systems/libraries do both AES-GCM and ChaCha20-Poly1305 out-of-the-box.

AES-GCM (Galois Counter Mode)

ChaCha20-Poly1305

  • A separate cipher algorithm. No relation to AES.
  • Designed to be fast, using operations and general construction that are efficient to execute on CPU.
  • Widely used and widely adopted.
  • Was pushed and adopted remarkably quickly, notably by CloudFlare, to improve mobile performance.
  • Can be 3-5 times faster than AES-GCM on processors (ARM/mobile) that do not have dedicated AES instructions (see performance section).
  • RFC 7905 year 2016 https://tools.ietf.org/html/rfc7905

AES-CCM (Counter with CBC-MAC)

  • Alternative to GCM mode.
  • Available in OpenSSL as of TLS 1.3 (2018), but disabled by default.
  • Two AES computations per block, thus expected to be somewhat slower than AES-GCM.
  • RFC 6655 year 2012 https://tools.ietf.org/html/rfc6655
  • Much lower adoption, probably because it came after GCM and offer no significant benefit.

AES-CBC

  • First historic block cipher for AES.
  • CBC mode is insecure and must not be used. It’s been progressively deprecated and removed from SSL libraries.
  • Introduced with TLS 1.0 year 2002. Superseded by GCM in TLS 1.2 year 2008. Removed in TLS 1.3 year 2018.
  • RFC 3268 year 2002 https://tools.ietf.org/html/rfc3268

Performance considerations (rough numbers)

  • A stream cypher can typically encrypt at 100 Mbps to 1000 Mbps of data, pinning a core at 100% usage.
  • Vary with CPU speed, implementation, AES128 vs AES256. Bear in mind that application have application code to run, besides encryption.
  • A server typically handles multiple connections in parallel over multiple cores (thread/process pool), so maximum capacity is a multiple of the number above.
  • TLS performance is a real world concern for any system doing 1 Gbps and upward.
  • Recent x64 CPU (from Intel core 4xxx [*] / AMD Bulldozer) have dedicated hardware instructions (AES-NI) computing AES-GCM 2-10 times faster.
  • ChaCha20-Poly1305 is much faster than AES on systems that do not have AES hardware (anything mobile or ARM).

[*] Intel heavily segments features (AES-NI) by market range (i7 high-end, i3 low-end, M laptops, etc…) so check the datasheet for support in older CPU. https://ark.intel.com/content/www/us/en/ark.html

2 thoughts on “What AES ciphers to use between CBC, GCM, CCM, Chacha-Poly?

  1. You article is fascinating. I would really love to hear your updated view of Airbnb. I have a lot at stake. I’m starting to wonder if bankruptcy is in fact possible for Airbnb in the next 12 months.

    Like

    • Nothing changed since I wrote the AirBnb article. AirBnb can’t go bankrupt, it’s way too lucrative medium-long term to let it die. They might need cash from investors to sustain a period without bookings and have to layoff a substantial portion of the staff, that’s it.

      You seem to run a company to manage AirBnb properties? Accounting, cleaning, bookings, renovations, etc…
      How much of your activity is gone since the lockdown? Maybe > 80%?
      AirBnb (and your company) will do fine again when the lockdown will be lifted, but nobody knows how long it will take to come (months? a year?). I don’t know if your company can survive long enough if you have fixed costs (offices, salaries) and no revenues. I wouldn’t worry about AirBnb at all, just worry about your own cash flow.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s