Overview[1][2][3]#
TLS 1.3 is Transport Layer Security (TLS) version 1.3 (TLSv1.3) is defined in RFC 8446TLS 1.3 is a major overhaul and has two main advantages over previous versions:
- Enhanced security
- Improved speed
TLS 1.3 supersedes and Obsoletes previous versions of TLS, including
- Obsoletes TLS 1.2 RFC 5246
- obsoletes Transport Layer Security (TLS) Session Resumption without Server-Side State (TLS Ticket) mechanism defined in RFC 5077 and replaces it with the mechanism defined in RFC 8446 Section 2.2.
- updates RFC 5705 as described in RFC 8446 Section 7.5 because of changes the way keys are derived
- changes how Online Certificate Status Protocol (OCSP) messages are carried and therefore updates RFC 6066 and obsoletes RFC 6961 as described in RFC 8446 Section 4.4.2.1.
TLS 1.3 embraces the "less is more" philosophy, removing support for older broken forms of cryptography. That means you can’t turn on the potentially vulnerable stuff, even if you try. The list of TLS 1.2 features that have been removed is extensive, and most of the exiled features have been associated with high profile attacks.[2]
TLS 1.3 Supports 5 Cipher Suites#
TLS 1.3 Cipher SuitesTLS 1.3 Key-Exchange algorithms#
Other Major differences from TLS 1.2 include:#
- Removing support for Cryptographically Weak and lesser-used named Elliptic Curves
- Removing support for MD5 and SHA-224 cryptographic Hash Functions
- Requiring Digital Signatures even when a previous configuration is used
- Replacing TLS Session Resumption with PSK and tickets
- Supporting 1-RTT Handshakes and initial support for 0-RTT Handshakes
- All handshake messages after the ServerHello are now encrypted.
- Key Derivation Functions have been re-designed, with the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) being used as a primitive.
- Integrating use of session hash
- Deprecating use of the record layer version number and freezing the number for improved backwards compatibility
- Moving some security-related algorithm details from an appendix to the specification and relegating ClientKeyShare to an appendix
- Integrating HKDF and the semi-ephemeral Diffie-Hellman proposal
- All Symmetric Key Cryptography algorithms use Authenticated Encryption with Associated Data (AEAD).
- RSA padding now uses Probabilistic Signature Scheme
- Addition of the ChaCha20 Stream Cipher with the Poly1305 Message Authentication Code (The only Stream Cipher supported)
- Addition of the Ed25519 and Ed448 digital signature algorithms
- Addition of the x25519 and x448 Key-Exchange protocols
Dropping support for many unsecure or obsolete features including:#
- TLS Compression
- TLS Renegotiation - TLS 1.3 forbids renegotiation, if a server receives a ClientHello at any other time, the connection MUST be terminated
- non-AEAD ciphers
- static RSA - Those Cipher Suites which use the Public Key contained in the server certificate for RSA key-exchange.
- static Diffie-Hellman key-exchange
- custom DHE groups
- point format negotiation
- Change Cipher Spec protocol
- clientHello and serverHello UNIX time
- the length field AD input to AEAD ciphers
- Prohibiting SSL or RC4 negotiation for backwards compatibility
More Information#
There might be more information for this subject on one of the following:- 0-RTT Handshakes
- Change_cipher_spec
- Cipher_suites
- ClientHello
- ClientKeyExchange
- Diffie-Hellman or RSA
- EDirectory TLS
- EncryptedExtensions
- Export-grade
- HelloRetryRequest
- Network Security Services
- OpenSSL
- Pre_shared_key
- RFC 8446
- RSA key-exchange
- Record Protocol
- ServerHello
- ServerKeyExchange
- Supported_versions
- TLS Alert Messages
- TLS Compression
- TLS Full Handshake
- TLS Renegotiation
- TLS Session Resumption
- TLSv1.3
- Transport Layer Security
- [#1] - Transport_Layer_Security#TLS_1.3_.28draft.29
- based on information obtained 2017-02-22
- [#2] - Introducing TLS 1.3 - based on information obtained 2017-03-02
- [#3] - A Detailed Look at RFC 8446 (a.k.a. TLS 1.3) - based on information obtained 2018-08-11-
