Article 3 of 6: Understanding TLS Security Series
TLS 1.3, finalized in August 2018 (RFC 8446), is a fundamental redesign of the protocol. It removes decades of accumulated security debt while improving both performance and privacy.
This article covers the streamlined 1-RTT handshake, HKDF key derivation, removed legacy features, 0-RTT resumption, Encrypted Client Hello (ECH), and post-quantum key exchange.
TLS 1.3 vs TLS 1.2 Comparison
| Feature | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Handshake RTT | 2-RTT | 1-RTT (0-RTT resume) |
| Forward Secrecy | Optional (ECDHE) | Mandatory |
| Certificate Privacy | Plaintext (visible) | Encrypted (hidden) |
| Cipher Suites | 37+ (many weak) | 5 (all AEAD) |
| Key Derivation | PRF | HKDF |
| RSA Key Exchange | Supported | Removed |
| CBC Ciphers | Supported | Removed |
1. TLS 1.3 Handshake (1-RTT)
Theory: How It Works
The key innovation: the client sends its key share speculatively in the first message, allowing encryption after just one round trip.
CLIENT SERVER
| |
| 1. Client Hello + Key Share |
| ──────────────────────────────────────────► |
| TLS 1.3, ciphers, ECDHE public key |
| |
| 2. Server Hello + Key Share |
| ◄────────────────────────────────────────── |
| Selected cipher, server ECDHE key |
| |
| ═══════ ENCRYPTION STARTS ═══════ |
| |
| 3. Encrypted Extensions |
| ◄────────────────────────────────────────── |
| Additional parameters (encrypted) |
| |
| 4. Certificate (ENCRYPTED!) |
| ◄────────────────────────────────────────── |
| Hidden from observers! |
| |
| 5. Certificate Verify |
| ◄────────────────────────────────────────── |
| Signature over transcript |
| |
| 6. Server Finished |
| ◄────────────────────────────────────────── |
| MAC over handshake |
| |
| 7. Client Finished |
| ──────────────────────────────────────────► |
| Handshake complete |
| |
| Application Data (Encrypted) |
| ◄────────────────────────────────────────► |
Total: 1 Round Trip (1-RTT), 50% Faster!Key Differences from TLS 1.2:
- Certificate is ENCRYPTED, so observers cannot see the destination
- Key share sent speculatively, saving one round trip
- No Change Cipher Spec message, resulting in a cleaner protocol
- Encryption starts immediately after Server Hello
Practical: Real-World Implementation
# Force TLS 1.3
openssl s_client -connect example.com:443 -tls1_3
# Show TLS 1.3 cipher suites
openssl ciphers -v -tls1_3
# Verify TLS 1.3 support
openssl s_client -connect example.com:443 2>&1 | grep ProtocolWireshark Visibility Comparison:
| Packet | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Client Hello | Visible | Visible |
| Server Hello | Visible | Visible |
| Certificate | VISIBLE | ENCRYPTED |
| Server Key Exchange | Visible | N/A |
| Application Data | Encrypted | Encrypted |
Reality: Security Risks
| Issue | Impact | Solution |
|---|---|---|
| SNI Visible | Server name in Client Hello plaintext | Encrypted Client Hello (ECH) |
| Middlebox Issues | Some firewalls break TLS 1.3 | Middlebox compatibility mode |
| Legacy Clients | Old browsers lack support | Enable TLS 1.2 fallback |
2. Key Derivation (HKDF)
Theory: How It Works
TLS 1.3 uses HKDF (HMAC-based Key Derivation Function) instead of PRF, providing cleaner cryptographic separation.
HKDF Key Schedule:
Stage 1 - Early Secret (0-RTT):
Early Secret = HKDF-Extract(salt=0, PSK or 0)
Stage 2 - Handshake Secret:
Handshake Secret = HKDF-Extract(derived, ECDHE_secret)
Stage 3 - Master Secret:
Master Secret = HKDF-Extract(derived, 0)| Function | Purpose |
|---|---|
| HKDF-Extract | Combines salt + input key material into PRK |
| HKDF-Expand | Derives multiple keys from single secret |
| Derive-Secret | TLS 1.3 wrapper with transcript hash |
HKDF in TLS 1.3 has been formally verified. The key schedule design prevents key reuse across derivation stages, eliminating entire classes of attacks.
3. 0-RTT Resumption
Theory: How It Works
0-RTT allows returning clients to send encrypted data in the first message, before the handshake completes.
How It Works:
- First connection: Normal 1-RTT, server issues session ticket
- Subsequent: Client sends ticket + early data in first message
- Server decrypts early data using PSK from ticket
Practical: Real-World Implementation
Enable 0-RTT (Nginx):
ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;Reality: Security Risks
| Risk | Impact | Mitigation |
|---|---|---|
| Replay Attack | Attacker replays 0-RTT data | Only send idempotent requests (GET) |
| No Forward Secrecy | Early data encrypted with PSK only | Use single-use session tickets |
| Double Submit | Non-idempotent action runs twice | Server-side replay detection |
4. Removed Legacy Features
TLS 1.3 removes all weak and problematic features from previous versions:
| Removed Feature | Why Removed |
|---|---|
| RSA Key Exchange | No forward secrecy; key compromise decrypts all past traffic |
| CBC Cipher Suites | Padding oracle attacks (POODLE, Lucky13, BEAST) |
| RC4 | Cryptographically broken, with biases in keystream |
| 3DES | 64-bit block vulnerable to Sweet32 birthday attack |
| MD5/SHA-1 signatures | Collision attacks (SHAttered) |
| Compression | CRIME/BREACH attacks leak secrets |
| Renegotiation | Complex, enabled various attacks |
| Static DH/ECDH | No forward secrecy |
| Custom DH groups | Weak groups (Logjam attack) |
By removing these features, TLS 1.3 eliminates entire attack categories. There are no known practical attacks against properly implemented TLS 1.3.
5. TLS 1.3 Cipher Suites
TLS 1.3 has only 5 cipher suites, all AEAD, all secure. No configuration mistakes possible.
| Cipher Suite | Recommendation |
|---|---|
| TLS_AES_256_GCM_SHA384 | RECOMMENDED, highest security |
| TLS_AES_128_GCM_SHA256 | RECOMMENDED, good balance |
| TLS_CHACHA20_POLY1305_SHA256 | RECOMMENDED, fast on mobile |
| TLS_AES_128_CCM_SHA256 | OK, constrained IoT devices |
| TLS_AES_128_CCM_8_SHA256 | OK, very constrained devices |
Key exchange (ECDHE) and authentication (RSA/ECDSA) are negotiated separately via extensions, not in the cipher suite name. All TLS 1.3 cipher suites are secure, so you cannot make a bad choice.
6. Encrypted Client Hello (ECH)
Theory: How It Works
ECH encrypts the entire Client Hello, including SNI (Server Name Indication). This hides which website you’re connecting to from network observers.
Privacy Comparison:
| Metadata | TLS 1.3 (no ECH) | TLS 1.3 + ECH |
|---|---|---|
| Server IP | Visible | Visible |
| SNI (domain name) | Visible in Client Hello | ENCRYPTED |
| Certificate | Encrypted | Encrypted |
| Application Data | Encrypted | Encrypted |
Practical: Real-World Implementation
# Check if server supports ECH
dig +short TYPE65 _https.example.com # Look for 'ech=' parameter
# Enable ECH in Firefox (about:config)
# network.dns.echconfig.enabled = trueReality: ECH Adoption 2026
| Platform | ECH Status |
|---|---|
| Cloudflare | ECH enabled by default for all sites |
| Chrome | ECH supported since 2023 |
| Firefox | ECH enabled by default |
ECH requires DNS-over-HTTPS (DoH) for full privacy.
7. Post-Quantum Key Exchange
Theory: How It Works
TLS 1.3 now supports hybrid post-quantum key exchange. The client and server perform both X25519 (classical) and ML-KEM (post-quantum) key exchanges, combining the results. This provides security against both classical and quantum attackers.
# Check for hybrid PQ key exchange in connection
openssl s_client -connect cloudflare.com:443 2>&1 | grep 'Server Temp Key'
# Look for: X25519MLKEM768 or X25519Kyber7688. Wireshark Packet Analysis
TLS 1.3 with Self-Signed Certificate
- Wireshark Filter:
tls.handshake.type == 1 || tls.handshake.type == 2 || tls.record.content_type == 23 - Visible Packets: Client Hello, Server Hello, Application Data…
- Certificate Details: NOT VISIBLE. Certificate is encrypted inside Application Data packets
- Browser Behavior: Security warning shown (self-signed) but attacker cannot see which site
Key Observations:
- No Certificate packet visible after Server Hello
- Only “Application Data” packets (encrypted content)
- Expand Client Hello to see
supported_versionswith TLS 1.3 (0x0304) - Passive observer cannot determine server identity from certificate
TLS 1.3 with CA-Issued Certificate
- Visible Packets: Client Hello, Server Hello, Application Data (encrypted)
- Certificate Details: NOT VISIBLE. Only SNI (server_name) in Client Hello reveals destination
- Browser Behavior: Padlock icon shown, fully trusted and private connection
9. Technical Comparison Matrix
| Scenario | Cert Visible? | Trusted? | Speed | Security |
|---|---|---|---|---|
| TLS 1.2 + Self-Signed | Yes | No | Medium | Moderate |
| TLS 1.2 + CA Cert | Yes | Yes | Medium | High |
| TLS 1.3 + Self-Signed | No | No | Fast | High* |
| TLS 1.3 + CA Cert | No | Yes | Fastest | HIGHEST |
*High encryption but no trust verification without CA certificate
Key Takeaways
- 1-RTT handshake (0-RTT for resumption), 50% faster
- Forward secrecy is mandatory, always ECDHE
- Certificate is encrypted, improving privacy
- Only 5 AEAD cipher suites with no weak options
- HKDF key derivation: cleaner and formally verified
- 0-RTT has replay risk, so use it carefully
- ECH hides SNI for complete privacy
- Hybrid PQ (X25519 + ML-KEM) for quantum resistance
- TLS 1.3 + CA certificate = HIGHEST security
Previous: Article 2: TLS 1.2 Deep Dive
Next: Article 4: TLS Attacks & Vulnerabilities
This is part of our 6-article series on Understanding TLS Security.
Not sure if your TLS 1.3 migration is complete? We validate TLS configuration during our Web Application Pentest and IoT Pentest engagements. Get a free security snapshot to check what’s exposed, or view pricing.