CNS - 31 - TLS v1.3

The following improvements were made in the latest version:

• Pruned all symmetric algorithms considered legacy like SHA-1, MD5, RC4, DES, etc.

• All left ciphers are AEAD, which thus support authentication and encryption in a single algorithm. This means that in the new version the hash function present in the cipher suite is the hash algorithm that is only used for the hmac-key-derivation-function. Example of supported cipher suites are the following ones

  • TLS_AES_128_GCM_SHA_256

  • TLS_AES_256_GCM_SHA_384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA_256

• Perfect forward secrecy guaranteed in the new handshake, meaning that if a long-term private key is compromised at some point, the data delivered before this time is not affected. Notice that perfect forward secrecy is now becoming increasingly important because governments are able to do mass-scale surveillance and collect all the data for a long time.

Observation: Even without having powerful governments, perfect forward secrecy prevent software bugs like heartbleed to break all security. The commit which introduced this vulnerability was done on the 31 of december in 2011 time 23:00.

In the TLS community there was a lot of discussion for adding the possibility of using a pre-shared key for some environments. That is, there are some places for which is not convenient to have asymmetric encryption. Since TLS v1.2 there is thus the support for pre-shared key.

This is used in various situations such as:

• Limited and constrained environments.

• When you connect to a site and then after a few hours or days you want to connect back using the same pre-master secret.

Notice however that like this we lose the perfect forward secrecy property. Thus, in TLS v1.3 an optional support was added to cover this issue by combining the pre-shared key with an anonymous DH.

When the server receives the value \(g^x\) it can generate dynamically a master key which depends on the pre-shared key, the nonce, and also the DH key generated on the fly. Notice that no certificates are needed, because the final key is not used for encryption but only as an extra nonce in the computation of the actual master secret.

\[\text{HKDF}_{\text{psk}}\bigg(N_c, \,\, N_s, \,\, (g^x)^y\Bigg)\]

Thanks to this we have achieved perfect forward secrecy with a static pre shared key (psk) and with no certificate.

The detailed structure of the new handshake is shown below

At some point Google tried to optimize the usage of HTTPS in order to remove all the waiting time from the moment a TCP connection is started to the moment the TLS handshake finishes. Even though this may seem impossible it was actually done by using pre-shared keys.

The basic idea is that the client can generate a new key by using the HKDF with the psk and by using as argument the Client-Hello-content message. This method is much faster in terms of speed, since with this approach when we open the TLS message inside the very first message we can already put the HTTP request, saving us a full RTT. The trade-off of this speed gain is lost in security however, since in the time window between the first and second message you are vulnerable to replay attack, since there is only the client nonce and thus the server is not able to tell if a request is being replied or not.

Observation: By combining the usage of a pre-shared key for sessions to the same server with the 0-RTT data transfer you save a lot of time. This however must come at the risk of a replay attack. In case of google this is not a big deal, but for other services the story might be different.