RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3

Published: August 2018
Status: Standards Track
Author: E. Rescorla (Mozilla)
Obsoletes: RFC 5077, RFC 5246, RFC 6961
Updates: RFC 5705, RFC 6066

---

Abstract

This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.

This document updates RFCs 5705 and 6066 and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements for TLS 1.2 implementations.

---

Contents

• 1. Introduction
  • 1.1 Conventions and Terminology
  • 1.2 Major Differences from TLS 1.2
  • 1.3 Updates Affecting TLS 1.2
• 2. Protocol Overview
  • 2.1 Incorrect DHE Share
  • 2.2 Resumption and Pre-Shared Key (PSK)
  • 2.3 0-RTT Data
• 3. Presentation Language
  • 3.1 Basic Block Size
  • 3.2 Miscellaneous
  • 3.3 Numbers
  • 3.4 Vectors
  • 3.5 Enumerateds
  • 3.6 Constructed Types
  • 3.7 Constants
  • 3.8 Variants
• 4. Handshake Protocol
  • 4.1 Key Exchange Messages
  • 4.2 Extensions
  • 4.3 Server Parameters
  • 4.4 Authentication Messages
  • 4.5 End of Early Data
  • 4.6 Post-Handshake Messages
• 5. Record Protocol
  • 5.1 Record Layer
  • 5.2 Record Payload Protection
  • 5.3 Per-Record Nonce
  • 5.4 Record Padding
  • 5.5 Limits on Key Usage
• 6. Alert Protocol
  • 6.1 Closure Alerts
  • 6.2 Error Alerts
• 7. Cryptographic Computations
  • 7.1 Key Schedule
  • 7.2 Updating Traffic Secrets
  • 7.3 Traffic Key Calculation
  • 7.4 (EC)DHE Shared Secret Calculation
  • 7.5 Exporters
• 8. 0-RTT and Anti-Replay
  • 8.1 Single-Use Tickets
  • 8.2 Client Hello Recording
  • 8.3 Freshness Checks
• 9. Compliance Requirements
  • 9.1 Mandatory-to-Implement Cipher Suites
  • 9.2 Mandatory-to-Implement Extensions
  • 9.3 Protocol Invariants
• 10. Security Considerations
• 11. IANA Considerations
• 12. References
  • 12.1 Normative References
  • 12.2 Informative References

Appendices

• Appendix A. State Machine
  • A.1 Client
  • A.2 Server
• Appendix B. Protocol Data Structures and Constant Values
  • B.1 Record Layer
  • B.2 Alert Messages
  • B.3 Handshake Protocol
  • B.4 Cipher Suites
• Appendix C. Implementation Notes
  • C.1 Random Number Generation and Seeding
  • C.2 Certificates and Authentication
  • C.3 Implementation Pitfalls
  • C.4 Client Tracking Prevention
  • C.5 Unauthenticated Operation
• Appendix D. Backward Compatibility
  • D.1 Negotiating with an Older Server
  • D.2 Negotiating with an Older Client
  • D.3 0-RTT Backward Compatibility
  • D.4 Middlebox Compatibility Mode
  • D.5 Security Restrictions Related to Backward Compatibility
• Appendix E. Overview of Security Properties
  • E.1 Handshake
  • E.2 Record Layer
  • E.3 Traffic Analysis
  • E.4 Side-Channel Attacks
  • E.5 Replay Attacks on 0-RTT
  • E.6 PSK Identity Exposure
  • E.7 Sharing PSKs
  • E.8 Attacks on Static RSA

---

Related Resources

• Official Source: RFC 8446
• Official Page: RFC 8446 DataTracker
• Errata: RFC Editor Errata

---