TL;DR If you only have 5 seconds to pick only one, go with AES-GCM. Most systems/libraries do both AES-GCM and ChaCha20-Poly1305 out-of-the-box.
AES-GCM (Galois Counter Mode)
- The most widely used block cipher worldwide.
- Mandatory as of TLS 1.2 (2008) and used by default by most clients.
- RFC 5288 year 2008 https://tools.ietf.org/html/rfc5288
- A separate cipher algorithm. No relation to AES.
- Designed to be fast, using operations and general construction that are efficient to execute on CPU.
- Widely used and widely adopted.
- Was pushed and adopted remarkably quickly, notably by CloudFlare, to improve mobile performance.
- Can be 3-5 times faster than AES-GCM on processors (ARM/mobile) that do not have dedicated AES instructions (see performance section).
- RFC 7905 year 2016 https://tools.ietf.org/html/rfc7905
AES-CCM (Counter with CBC-MAC)
- Alternative to GCM mode.
- Available in OpenSSL as of TLS 1.3 (2018), but disabled by default.
- Two AES computations per block, thus expected to be somewhat slower than AES-GCM.
- RFC 6655 year 2012 https://tools.ietf.org/html/rfc6655
- Much lower adoption, probably because it came after GCM and offer no significant benefit.
- First historic block cipher for AES.
- CBC mode is insecure and must not be used. It’s been progressively deprecated and removed from SSL libraries.
- Introduced with TLS 1.0 year 2002. Superseded by GCM in TLS 1.2 year 2008. Removed in TLS 1.3 year 2018.
- RFC 3268 year 2002 https://tools.ietf.org/html/rfc3268
Performance considerations (rough numbers)
- A stream cypher can typically encrypt at 100 Mbps to 1000 Mbps of data, pinning a core at 100% usage.
- Vary with CPU speed, implementation, AES128 vs AES256. Bear in mind that application have application code to run, besides encryption.
- A server typically handles multiple connections in parallel over multiple cores (thread/process pool), so maximum capacity is a multiple of the number above.
- TLS performance is a real world concern for any system doing 1 Gbps and upward.
- Recent x64 CPU (from Intel core 4xxx [*] / AMD Bulldozer) have dedicated hardware instructions (AES-NI) computing AES-GCM 2-10 times faster.
- ChaCha20-Poly1305 is much faster than AES on systems that do not have AES hardware (anything mobile or ARM).
[*] Intel heavily segments features (AES-NI) by market range (i7 high-end, i3 low-end, M laptops, etc…) so check the datasheet for support in older CPU. https://ark.intel.com/content/www/us/en/ark.html