<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] (&quot;Zero-[RTT] &quot;) is a [TLS 1.3] [TLS Handshake] proposal when clients and servers share a [PSK] (either obtained externally or via a previous handshake), [TLS 1.3] allows [clients] to send data on the first flight (&quot;early data&quot;).  

[{$pagename}] was inspired by the [QUIC] [Protocol]

[{$pagename}] is part of the replacement of [TLS Session Resumption]

The client uses the PSK to authenticate the server and to [encrypt] the early [data].


As shown in below, the 0-RTT data is just added to the [1-RTT Handshake] in the first flight.  The rest of the handshake uses the same messages as for a 1-RTT handshake with PSK resumption.

{{{
Client                                           Server
ClientHello
+ early_data
+ key_share*
+ psk_key_exchange_modes
+ pre_shared_key
(Application Data*)        --------&gt;
                                                  ServerHello
                                                  + pre_shared_key
                                                  + key_share*
                                                  {EncryptedExtensions}
                                                  + early_data*
                                                  {Finished}
                           &lt;--------             [Application Data*]
(EndOfEarlyData)
{Finished}                 --------&gt;
[Application Data]         &lt;-------&gt;             [Application Data]

+  Indicates noteworthy extensions sent in the previously noted message.
*  Indicates optional or situation-dependent messages/extensions that are not always sent.
() Indicates [messages] protected using [keys] derived from client_early_traffic_secret.
{} Indicates [messages] protected using [keys] derived from a [sender]_handshake_traffic_secret.
[] Indicates [messages] protected using [keys] derived from [sender]_application_traffic_secret_N
}}}

__IMPORTANT NOTE:__ The security properties for 0-RTT data are weaker than those for other kinds of TLS data.  Specifically:
* This data is not forward secret, as it is encrypted solely under keys derived using the offered PSK.
* There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server's Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the [application] [protocol].  The same warnings apply to any use of the early_exporter_master_secret.

[{$pagename}] data cannot be duplicated within a connection (i.e., the server will not process the same data twice for the same connection) and an attacker will not be able to make 0-RTT data appear to be 1-RTT data (because it is protected with different keys.)  Appendix E.5 contains a description of potential attacks and Section 8 describes mechanisms  which the server can use to limit the impact of replay.


!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Improved Handshakes in TLS version 1.3|https://timtaubert.de/blog/2015/11/more-privacy-less-latency-improved-handshakes-in-tls-13/|target='_blank'] - based on information obtained 2017-01-05
</pre>