The Internet Engineering Task Force (IETF) has published its 1.3 version of the Transport Layer Security (TLS) protocol. The application allows client/server applications to communicate over the internet in a way that is designed to prevent eavesdropping, tampering and message forgery.
The IETF is a body of engineers from all over the world who collaborate on standards like this – and its approval of TLS 1.3 has been long in coming – over four years and 28 drafts.
According to a draft working document published on March 20, protocol 1.3 has several major differences from its predecessor. These include: removal of algorithms that are considered legacy, the addition of a 0-RTT mode, all public-key-based key exchanges now provide forward secrecy, all handshake messages after the ServerHello are now encrypted and new key derivation function re-designs, which allows easier analysis by cryptographers due to their improved key separation properties.
There might be potential concerns about 0-RTT data, as the security properties are weaker than those for other kinds of TLS data. Specifically, the document stated: “This data is not a forward secret, as it is encrypted solely under keys derived using the offered PSK.
“There are no guarantees of non-replay between connections. Protection against replay for ordinary TLS 1.3 1-RTT data is provided via the server's Random value, but 0-RTT data does not depend on the ServerHello and therefore has weaker guarantees. This is especially relevant if the data is authenticated either with TLS client authentication or inside the application protocol.”
The document continued to say that 0-RTT data cannot be duplicated within a connection (i.e. the server will not process the same data twice for the same connection) and an attacker will not be able to make 0-RTT data appear to be 1-RTT data, because it is protected with different keys.