Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Introducing TLS 1.3: the Future of Encryption

DZone's Guide to

Introducing TLS 1.3: the Future of Encryption

After its anxiously-awaited release, the Internet Engineering Task Force has finally approved TLS 1.3. Click here to learn more!

· Security Zone ·
Free Resource

Protect your applications against today's increasingly sophisticated threat landscape.

After four years and 28 different drafts, the Internet Engineering Task Force has finally approved TLS 1.3. And, even then, TLS 1.3 was only approved at the most recent London meeting after a wave of last-minute activity, including an 11th-hour pitch from the banking industry to insert a back door.

That didn’t go over well. But, eventually, TLS 1.3 won unanimous approval (with one “no objection”) which sets the stage for it to be implemented in… well, everything.

TLS 1.3 sees improvements that should seriously hamper any attempts to decrypt intercepted HTTPS (SSL certificate) connections and any other encrypted network packets. That’s not going to make the NSA or Ruskies too happy. But, that’s kind of the point.

In addition to being even more robust, TLS 1.3 will also streamline the handshake process and allow for even faster encryption to take place.

Unfortunately, the work on TLS 1.3 has been extremely slow. Google had problems last year when an IT administrator for the Maryland school system reported that about one-third of the 50,000 Chromebooks he had enabled TLS 1.3 on bricked. And, then, there was the aforementioned incident where the banking industry complained that it wouldn’t be able to decrypt the traffic within its own networks.

However, the same ability to decrypt data can be applied to their own data nefariously, much like just about everything in the banking industry. This makes trusting a banker one of the most dangerous things you can do. I’m convinced that when Virgil finally leads me on my orientation to hell, the bankers will have their very own ring — hopefully, several.

Anyway, back to getting backdoored by bankers. The IETF said no. This means that the financial sector will have to do some extra work in order to inspect TLS 1.3 traffic. See, everybody wins.

Two of the biggest updates to TLS 1.3, and one of the biggest reasons that the banking industry had a cow have to do with forwarding secrecy and ephemeral keys.

As you may know, TLS creates an encrypted connection between a client and a server. This is done at the outset using what we call the “SSL handshake.”

Unfortunately, the previous iterations of the handshake were long and could take half a second. For what it’s worth, a part of me just died typing that last sentence. We live in a world where people are inconvenienced by half a second.

But, with TLS 1.2, the handshake took several round trips. The client would send something to the server. Then, the server would respond. And, they would begin a series of hand claps and fist bumps. Eventually, they agreed on a session key that uses mutually supported algorithms and ciphers. Then, voila! Encrypted communication.

TLS 1.3 asks the age-old question, “who has that kind of time?” It also streamlines the handshake into a single roundtrip proposition that is less like a clubhouse secret handshake and more like the handshake exchanged by a couple at the end of a long and contentious divorce settlement. 

In addition to that, TLS 1.3 also gets rid of a bunch of outmoded algorithms that have been found vulnerable.

  • RC4 Steam Cipher
  • RSA Key Transport
  • SHA-1 Hash Function
  • CBC Mode Ciphers
  • MD5 Algorithm
  • Various Diffie-Hellman groups
  • EXPORT-strength ciphers
  • DES
  • 3DES

Beyond a refined handshake and dropping support for all but the most recent ciphers, TLS 1.3 also boasts something called an RTT resumption. This feature allows two parties to remember the details of their last session and to resume it without needing to repeat the handshake. 

This will only speed TLS 1.3 even more.

There is no word yet on TLS 1.4. Though, the IETF may want to get to work on it now, considering how long this last one took.

Rapidly detect security vulnerabilities in your web, mobile and desktop applications with IBM Application Security on Cloud. Register Now

Topics:
web security ,security ,http ,internet engineering task force ,tls 1.3

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}