Ready to Start Your Career?
December 18, 2018
TLS 1.2 and TLS 1.3 - What's the Difference?
December 18, 2018
TLS (Transport Layer Security) was developed as a descendant of SSL in order to provide a secure channel between two communicating peers (i.e., web browsers and servers). The main intent of TLS is to authenticate peers, prevent eavesdropping, and tamper-proof communications by validating the authenticity of messages. The protocol aims to authenticate all data, maintain the integrity of the data, and keep the data confidential.There are two main components of TLS: a handshake protocol and a record protocol. The handshake protocol authenticates the communicating parties, negotiates cryptographic modes and parameters, and establishes shared keying material. It does this by creating input secrets, which are then compiled by the key derivation algorithm into your working keying material. The peers in this stage rely on asymmetric encryption and use the recipient’s public key to encrypt a message. The recipient uses a private key to decrypt this message upon receipt. The record protocol uses parameters established by the handshake protocol to protect traffic between the communicating peers. In TLS 1.3, the key derivation process relies on the HKDF-Extract and HKDF-Expand functions and the Hash function of the cipher suite.There are quite a few differences between TLS 1.2 and TLS 1.3. Version 1.3 was developed to improve performance and security and eliminate several complexities. The major difference is that every record is now encrypted, aside from the ClientHello and ServerHello. Other major differences include:The below information is taken in part from other sources like Reddit and Brica.de
- All legacy symmetric algorithms have been removed. The cipher suite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm and a hash to be used with both the key derivation function and handshake message authentication code (MAC).
- A zero round-trip time (0-RTT) mode was added, saving a round trip at connection setup for app data. This will lead to faster time to connect to/load web pages, perform transactions, etc.
- Static RSA and Diffie-Hellman cipher suites have been removed; all public-key-based key exchange mechanisms now provide forward secrecy. As an example, if the public key of the server is sent to the client, and the client sends back a session key for the connection which is encrypted with the public key of the server, then the server will decrypt this and determine the session. Forward secrecy aims to overcome this by making sure that all the session keys are not compromised, even if the long-term key is compromised.
- All handshake messages after the ServerHello are encrypted.
- The key derivation functions have been redesigned. The new design allows easier analysis by cryptographers due to their improved key separation properties. They include a passphrase and salt and create an encryption key of a given length.
- The handshake state machine has been significantly restructured to be more consistent and to remove superfluous messages such as ChangeCipherSpec.
- Elliptic curve algorithms are now in the base spec, and new signature algorithms, such as EdDSA are included. TLS 1.3 removed point format negotiation in favor of a single point format for each curve.
- Other cryptographic improvements made, including changing RSA padding to use the RSA Probabilistic Signature Scheme (RSASSA-PSS) and the removal of compression, the Digital Signature Algorithm (DSA) and custom Ephemeral Diffie Hellman (DH) groups.
- The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation.
- Session resumption with and without the server-side state as well as the PSK-based cipher suites of earlier TLS versions have been replaced by a single new PSK exchange.