Home Security Here’s what you need to know on TLS 1.3

Here’s what you need to know on TLS 1.3

163
0

It took more than eight years to complete the last upgrade of the encryption protocol, a new version of TLS 1.3 launched as of August 2018.

TLS 1.3 has many benefits over its predecessors, and is quicker and safer like a handshake and cypher suites are restored.

Technically, SSL 1.0 never officially published, 2.0 and 3.0 had a brief (not absolutely dead) life. As a consequence, SSL was replaced with TLS 1.0. There had been a lot of variations between SSL and TLS. TLS 1.0 was eventually replaced by 1.1, which was later followed by TLS 1.2. Now it has published the final TLS 1.3. So far from the SSL / TLS protocol, TLS 1.3 had passed through the seventh iteration.

Let us now learn more about TLS 1.3 that has brought about security and site performance improvements, free to link to any sections that concern you.

What exactly is TLS 1.3?

TLS stands for Transport Layer Security and SSL (Secure Sockets Layer) is the successor. TLS provides secure communication between the servers and web browsers. The link itself is secure, since the transmitted data is encrypted using symmetric cryptography. In other words, TLS is a standard protocol that facilitates the secure communication of clients and servers over the internet.

Transportation Layer Security (TLS) 1.3 protocol offers unprecedented privacy and consistency as contrasted with its previous TLS and non-secure HTTP versions. Cloudflare engineers were instrumental in designing the newest TLS protocol.

History of TLS 1.3

TLS 1.3 released after a decade of TLS version 1.2 and it took about 28 draughts to get IEFT (Internet Engineering Task Force) finally established. There were several issues involved, such as middleboxes, commercial elements that in the context of traffic enforcement compromise the standard. Also, because of the multiple parties involved the screening process continues indefinitely.

TLS-1.3-drafts
Source: https://datatracker.ietf.org/doc/rfc8446/?include_text=1

The first draught of version TLS 1.3 released to the last draught released in August 2018 on 17 April 2014. All the draughts were checked and evaluated continuously by vendors such as Google, Cloudflare, Mozilla and many more. They tested the protocol by adding it to their approved protocol list and documenting problems they found during testing. For instance, a proxy issue arose in February 2017 which forced Google to stop supporting TLS 1.3 for a while.

Advantage of TLS 1.3 over TLS 1.2

1) Speed Benefit

TLS 1.3 much faster than its predecessor because it minimised the time required for a handshake. In TLS 1.3, completion of a handshake requires one round-trip from both sides. TLS 1.3 decreased the round trip relative to TLS 1.2, as the number of cut-offs was 2 versus 4.

tls-1.3-handshake-performanceWhereas in TLS 1.2, two round trips are needed, and the number of negotiations necessary is four. As for network efficiency, it makes it slower than TLS 1.3.

The shorter TLS handshake made the link to the site much quicker- with less latency, which increases the efficiency of the enterprise network.

‘Zero Round Trip Time Resumption’ (0-RTT) would make TLS 1.3 quicker, as it enables users who have recently visited the website to restart sessions almost instantly. Such speed shift on the mobile networks and at scale is very evident.

0-rtt-vs-1-rtt-1024x528

TLS 1.3 uses a pre-shared key to restore communication while TLS 1.2 uses a few forms to restore session IDs and session tickets. Once the connexion is created, the client and the server generate session keys to use during a connexion, they can use a similar function to generate “Resumption Master Key” which facilitates 0-RTT.

This resumption master key is to encrypt server application data together with the user ticket when the client and server want an user resumed. The server subsequently validates it, and resumes the session.

2) The Simpler Cipher Suites

As we know half the contact was removed from the handshake, which also culminated in a reduction in the size of the cypher.

TLS 1.2 and its predecessors use Cipher Suites containing 4 cyphers: The following are:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

The TLS1.3 supports cipher suites that do not include key exchange and signature algorithms.

TLS-1.3-cipher-suites

The biggest downside in TLS 1.2 is numerous cypher combinations giving the parties involved in handshaking a nightmare, lagging behind in providing guidance in choosing cypher suite for better security.

The TLS version 1.3 includes five separate cypher suites which can be used as follows:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256

3) Improving security

The problem with TLS 1.2 was that it was not properly configured, and it gave open ways to attack website. The introduction of TLS version 1.3 helped eliminate all of the unsafe features like:

  • SHA-1
  • RC4
  • DES
  • 3DES
  • AES-CBC
  • MD5
  • Arbitrary Diffie-Hellman groups – CVE-2016-0701
  • Export-strength ciphers- responsible for Freak and LogJam

Administrators and developers may find the TLS version 1.3 as a preferred protocol as it simplifies more and helps in less protocol misconfiguration.

People started depending more on the TLS 1.3 than their predecessors

Google raises the protection bar by showing on-screen alert messages to switch users from 1.2 and below to TLS 1.3, both for browsers and servers.

Bottom line:

TLS 1.3 protocol has been published well over a year but the rate of adoption is negligible. Even some people stick to the old, unsecured protocols. But SSL Certificate is now mandatory and there is growing awareness of cybersecurity – Google is improving its security policies.

Holding this in mind could become a standard in the next 2 to 3 years while upgrading to TLS version 1.3. Since we are clear about TLS version 1.3, this is simpler, lighter and quicker which will allow the company to protect itself and its clients.

LEAVE A REPLY

Please enter your comment!
Please enter your name here