This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
0-RTT Handshakes
0-RTT Handshakes

Version management

Difference between version and

At line 1 added 50 lines
!!! Overview
[{$pagename}] ("Zero-[RTT] ") is a [TLS 1.3] [TLS Handshake] proposal when clients and servers share a [PSK] (either obtained externally or via a previous handshake), [TLS 1.3] allows [clients] to send data on the first flight ("early data").
[{$pagename}] was inspired by the [QUIC] [Protocol]
[{$pagename}] is part of the replacement of [TLS Session Resumption]
The client uses the PSK to authenticate the server and to [encrypt] the early [data].
As shown in below, the 0-RTT data is just added to the [1-RTT Handshake] in the first flight. The rest of the handshake uses the same messages as for a 1-RTT handshake with PSK resumption.
{{{
Client Server
ClientHello
+ early_data
+ key_share*
+ psk_key_exchange_modes
+ pre_shared_key
(Application Data*) -------->
ServerHello
+ pre_shared_key
+ key_share*
{EncryptedExtensions}
+ early_data*
{Finished}
<-------- [Application Data*]
(EndOfEarlyData)
{Finished} -------->
[Application Data] <-------> [Application Data]
+ Indicates noteworthy extensions sent in the previously noted message.
* Indicates optional or situation-dependent messages/extensions that are not always sent.
() Indicates [messages] protected using [keys] derived from client_early_traffic_secret.
{} Indicates [messages] protected using [keys] derived from a [sender]_handshake_traffic_secret.
[] Indicates [messages] protected using [keys] derived from [sender]_application_traffic_secret_N
}}}
__IMPORTANT NOTE:__ The security properties for 0-RTT data are weaker than those for other kinds of TLS data. Specifically:
* This data is not forward secret, as it is encrypted solely under keys derived using the offered PSK.
* There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server's Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the [application] [protocol]. The same warnings apply to any use of the early_exporter_master_secret.
[{$pagename}] data cannot be duplicated within a connection (i.e., the server will not process the same data twice for the same connection) and an attacker will not be able to make 0-RTT data appear to be 1-RTT data (because it is protected with different keys.) Appendix E.5 contains a description of potential attacks and Section 8 describes mechanisms which the server can use to limit the impact of replay.
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Improved Handshakes in TLS version 1.3|https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13/|target='_blank'] - based on information obtained 2017-01-05
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop