always (using ECDHE) • Relatively to the ticket key: never 25 TLS 1.3 is forward secret: • Relatively to the certificate: always • Relatively to the ticket key: except 0-RTT early data (w/ PSK-ECDHE)
the ticket • The server checks it matches its view, with some leeway • Obfuscated with a ticket_age_add value sent as part of the New Session Ticket message struct { opaque identity<1..2^16-1>; uint32 obfuscated_ticket_age; } PskIdentity; 28
early data, entirely, without knowing how much there will be • If it accepts it and can’t process it, it must buffer it • Once the Finished comes, all early data is confirmed • max_early_data_size limits the buffer size • Devised with Drew Springall 30
Andrew Kennedy and I work at BITS, the technology policy division of the Financial Services Roundtable (http://www.fsroundtable.org/bits). My organization represents approximately 100 of the top 150 US-based financial services companies including banks, insurance, consumer finance, and asset management firms. [...] Deprecation of the RSA key exchange in TLS 1.3 will cause significant problems for financial institutions, almost all of whom are running TLS internally and have significant, security-critical investments in out-of-band TLS decryption. [...] 38
trying to build a more secure internet. Meta-level comment: You're a bit late to the party. We're metaphorically speaking at the stage of emptying the ash trays and hunting for the not quite empty beer cans. More exactly, we are at draft 15 and RSA key transport disappeared from the spec about a dozen drafts ago. I know the banking industry is usually a bit slow off the mark, but this takes the biscuit. Cheers, Kenny 40
with session ticket key • Session ticket key compromise a risk for all connections TLS 1.3 tickets • Next session keys encrypted with session ticket key • Session ticket key compromise only risk for resumed connections 60
TLS 1.0: 3.1 • TLS 1.1: 3.2 • TLS 1.2: 3.3 • TLS 1.3: 3.4 ??? • Servers are intolerant of 3.4 • >2% of servers fail connection • Solution: “3.3” in ClientHello, real versions in extension • GREASE by David Benjamin 71