0Pricing
Cryptology Academy · Lesson

TLS 1.3: 0-RTT, Early Data, and Session Resumption

Understand TLS 1.3 session tickets, 0-RTT anti-replay limitations, and PSK resumption security.

TLS 1.3 Handshake Overview

TLS 1.3 (RFC 8446, 2018) redesigned the TLS handshake to reduce latency and remove legacy cruft. A full TLS 1.3 handshake completes in 1-RTT: the client sends ClientHello with supported key_shares (ephemeral ECDH public keys) in the first flight; the server responds with ServerHello, its key_share, encrypted extensions, certificate, and Finished — all in one response. The client sends its Finished and can immediately send application data. Compared to TLS 1.2's 2-RTT handshake, this halves connection setup time for new sessions.

Key Derivation in TLS 1.3

TLS 1.3 uses HKDF (HMAC-based Key Derivation Function) with a structured key schedule. After the ECDHE key exchange, the shared secret feeds into a hierarchy: Extract(early_secret, DHE) -> handshake_secret; then Extract(handshake_secret, 0) -> master_secret. From these, HKDF-Expand-Label derives separate keys for client and server handshake traffic, application traffic, and resumption. The clean separation ensures that compromising one layer of keys does not affect others — a significant improvement over TLS 1.2's more ad-hoc PRF-based key derivation.

All lessons in this course

  1. TLS 1.3: 0-RTT, Early Data, and Session Resumption
  2. Mutual TLS (mTLS) Implementation Patterns
  3. Certificate Pinning in Mobile and Desktop Applications
  4. TLS Performance: QUIC and HTTP/3
← Back to Cryptology Academy