TLS 1.3

Motivation for TLS 1.3

The TLS protocols date back to the mid-1990s, and all versions up to TLS 1.2 are based on similar general design. While this has served TLS fairly well, there have been two drivers for revisiting the design of TLS:

• Weaknesses: Since an attack on the renegotiation feature of TLS (an efficient way of adjusting agreed TLS parameters without requiring an entirely new run of the Handshake Protocol) came to light in 2009, TLS has come under intense scrutiny from security researchers. This has resulted in the discovery of several attacks on TLS, some of which have concerned weaknesses related to using specific cipher suites. These attacks have varied in their practicality, but the accumulative effect has been to reduce confidence in the overall security of TLS.

• Efficiency: The Handshake Protocol is somewhat inefficient, requiring two round trips between the client and server. A redesign of TLS creates the opportunity to streamline establishing an initial secure connection.

What is new in TLS 1.3?

Perhaps the biggest change between TLS 1.3 and previous versions is the process by which the security of TLS 1.3 has been designed. The various attacks on earlier versions of TLS resulted in a series of fixes being proposed (for example, a recommendation to stop using the RC4 encryption algorithm).

This retrospective patching is not desirable, so the design of TLS 1.3 involved much wider engagement with the cryptographic community. In particular, a degree of formal security modeling was conducted on certain aspects of the protocol to understand its security better.

As a result, there are good reasons to believe that TLS 1.3 will not be subject to the range of attacks on earlier versions.

The main differences between TLS 1.3 and earlier versions are as follows:

• Perfect Forward Secrecy: As well as the security requirements identified, TLS 1.3 further requires perfect forward secrecy. This is achieved by removing support for a key establishment based on RSA and mandating the use of Ephemeral Diffie-Hellman.

• New Handshake Protocol: The Handshake Protocol is completely redesigned in TLS 1.3. The regular TLS 1.3 handshake is made more efficient by only requiring one full round trip between client and server.

  More of the data exchanged in the new Handshake Protocol is encrypted. Further, the new Handshake Protocol messages are protected by dedicated keys (in contrast to earlier versions of TLS, where the two Finished messages of the Handshake Protocol are protected using keys also used in the Record Protocol).

• Authenticated encryption modes: Encryption in TLS 1.3 must be conducted using an authenticated-encryption mode of a block cipher. Authenticated encryption was first introduced in TLS 1.2, but only as an option.

TLS 1.3 handshake protocol description

We will describe a simplified version of the regular TLS 1.3 Handshake Protocol. Note that TLS 1.3 specifies a modified Handshake Protocol if the client and server already share a key, in which case they can optionally apply for cryptographic protection straight away to early client data.

We will only describe the version of the regular TLS 1.3 Handshake Protocol that provides unilateral entity authentication of the server. Our description is informal (to highlight changes in comparison with previous versions). Once again, our names for the protocol messages (and their separation) stray slightly from those used in the ‘official’ TLS 1.3 specification.

Here we have an actual coded example of a TLS handshake in which we connect with the server and pull the certificate.