RFC 8446: Transport Layer Security 1.3

September 11, 2019
tls web

Transport Layer Security 1.3 (RFC 8446)

1. Major differences from TLS 1.2

AEAD: Authenticated Encryption with Associated Data

2. Protocal Overview

Handshake Protocal and Record Protocal

/images/0.png

Basic Key Exchange Modes:

Session Resumption in TLS 1.3

Session ID used in TLS 1.2 has been obsoleted.

PSK: a PSK identity that corresponds to a unique key derived from the initial handshake.

In TLS 1.3: * PSKs are used in ECDHE (with FS) * PSKs are used alone (without FS)

0-RTT mode

/images/2.png

The security properties for 0-RTT data are weaker than those for other kinds of TLS data. 1. no gurantees of forward security: used PSKs only 2. no guarantees of non-replay

3. HandShake Protocal

No renegotiation in TLS 1.3

Three basic functions: 1. Key Exchange Messages 2. Server Parameters Messages 3. Authentication

Client Hello: either a set of Diffie-Hellman key shares (in the “key_share” (Section 4.2.8) extension), a set of pre-shared key labels (in the “pre_shared_key” (Section 4.2.11) extension), or both;

Incorrect DHE Share

the server corrects the mismatch with a HelloRetryRequest and the client needs to restart the handshake with an appropriate “key_share” extension

/images/1.png

4. Record Protocal

Four types: handshake, application_data, alert, and change_cipher_spec.

change_cipher_spec is used only for compatibility purposes

Record Protocal may be encrypted by AEAD algorithms.( application_data)

5. 0-RTT and Anti-Replay

In order to defense the replay attack in 0-RTT, there are two baisc requirements:

  1. The server MUST ensure that any instance of it would accept 0-RTT for the same 0-RTT handshake at most once;
  2. Applications must anti-replay

How to do?

  1. Single-Use Tickets
  2. Client Hello Recording
  3. Freshness Checks

Safely Exporting Keys from Secure Channels: On the Security of EAP-TLS and TLS Key Exporters

September 22, 2019
tls web

The use of TLS in Censorship Circumvention

September 18, 2019
tls web

maTLS: How to Make TLS middlebox-aware?

September 18, 2019
tls web