jspωiki
0-RTT Handshakes

Overview#

0-RTT Handshakes ("Zero-RTT ") is a TLS 1.3 TLS Handshake proposal when clients and servers share a PSK (either obtained externally or via a previous handshake), TLS 1.3 allows clients to send data on the first flight ("early data").

0-RTT Handshakes was inspired by the QUIC Protocol

0-RTT Handshakes is part of the replacement of TLS Session Resumption

The client uses the PSK to authenticate the server and to encrypt the early data.

As shown in below, the 0-RTT data is just added to the 1-RTT Handshake in the first flight. The rest of the handshake uses the same messages as for a 1-RTT handshake with PSK resumption.

Client                                           Server
ClientHello
+ early_data
+ key_share*
+ psk_key_exchange_modes
+ pre_shared_key
(Application Data*)        -------->
                                                  ServerHello
                                                  + pre_shared_key
                                                  + key_share*
                                                  {EncryptedExtensions}
                                                  + early_data*
                                                  {Finished}
                           <--------             [Application Data*]
(EndOfEarlyData)
{Finished}                 -------->
[Application Data]         <------->             [Application Data]

+  Indicates noteworthy extensions sent in the previously noted message.
*  Indicates optional or situation-dependent messages/extensions that are not always sent.
() Indicates messages protected using keys derived from client_early_traffic_secret.
{} Indicates messages protected using keys derived from a [sender]_handshake_traffic_secret.
[] Indicates messages protected using keys derived from [sender]_application_traffic_secret_N

IMPORTANT NOTE: The security properties for 0-RTT data are weaker than those for other kinds of TLS data. Specifically:

  • This data is not forward secret, as it is encrypted solely under keys derived using the offered PSK.
  • There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server's Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the application protocol. The same warnings apply to any use of the early_exporter_master_secret.

0-RTT Handshakes data cannot be duplicated within a connection (i.e., the server will not process the same data twice for the same connection) and an attacker will not be able to make 0-RTT data appear to be 1-RTT data (because it is protected with different keys.) Appendix E.5 contains a description of potential attacks and Section 8 describes mechanisms which the server can use to limit the impact of replay.

More Information#

There might be more information for this subject on one of the following: