Details
-
Enhancement
-
Resolution: Unresolved
-
P3
-
None
-
None
Description
The initial TLS 1.3 implementation includes basic support for pre-shared keys and session resumption. The following PSK-related features are not included in the initial implementation:
1) Resumption using PSK only: The initial implementation allows resumption by authenticating with the PSK followed by a DHE exchange to set up the master secret. PSK-only mode is more efficient, but it has weaker security w.r.t. forward and backward secrecy. (Note: implemented in JDK 11 for TLS 1.3 session resumption, seeJDK-8202625).
2) 0-RTT: This mode allows the client to send application data in the first message, but it has all of the security issues of PSK-only mode plus some potential for replay attacks.
3) Stateless server PSKs: Section 4 of RFC 5077 describes a mechanism that servers can use to avoid keeping state for each NewSessionTicket that it sends. Using this mechanism would reduce the memory usage of the server at the expense of forward secrecy for PSK-only resumption.
4) Out-of-band PSK establishment: The initial implementation only supports PSKs produced from NewSessionTicket messages.
We should examine these missing features and decide if they are worthwhile to implement. Each of these features comes at the expense of some aspect of security (forward/backward secrecy, anti-replay, etc.). So it may not be worthwhile to implement some of them. The ones that are implemented should probably be enabled by configuration options.
1) Resumption using PSK only: The initial implementation allows resumption by authenticating with the PSK followed by a DHE exchange to set up the master secret. PSK-only mode is more efficient, but it has weaker security w.r.t. forward and backward secrecy. (Note: implemented in JDK 11 for TLS 1.3 session resumption, see
2) 0-RTT: This mode allows the client to send application data in the first message, but it has all of the security issues of PSK-only mode plus some potential for replay attacks.
3) Stateless server PSKs: Section 4 of RFC 5077 describes a mechanism that servers can use to avoid keeping state for each NewSessionTicket that it sends. Using this mechanism would reduce the memory usage of the server at the expense of forward secrecy for PSK-only resumption.
4) Out-of-band PSK establishment: The initial implementation only supports PSKs produced from NewSessionTicket messages.
We should examine these missing features and decide if they are worthwhile to implement. Each of these features comes at the expense of some aspect of security (forward/backward secrecy, anti-replay, etc.). So it may not be worthwhile to implement some of them. The ones that are implemented should probably be enabled by configuration options.
Attachments
Issue Links
- duplicates
-
-
- Closed
-