TLS 1.3: 0-RTT, Early Data, and Session Resumption
Understand TLS 1.3 session tickets, 0-RTT anti-replay limitations, and PSK resumption security.
TLS 1.3 Handshake Overview
TLS 1.3 (RFC 8446, 2018) redesigned the TLS handshake to reduce latency and remove legacy cruft. A full TLS 1.3 handshake completes in 1-RTT: the client sends ClientHello with supported key_shares (ephemeral ECDH public keys) in the first flight; the server responds with ServerHello, its key_share, encrypted extensions, certificate, and Finished — all in one response. The client sends its Finished and can immediately send application data. Compared to TLS 1.2's 2-RTT handshake, this halves connection setup time for new sessions.
Key Derivation in TLS 1.3
TLS 1.3 uses HKDF (HMAC-based Key Derivation Function) with a structured key schedule. After the ECDHE key exchange, the shared secret feeds into a hierarchy: Extract(early_secret, DHE) -> handshake_secret; then Extract(handshake_secret, 0) -> master_secret. From these, HKDF-Expand-Label derives separate keys for client and server handshake traffic, application traffic, and resumption. The clean separation ensures that compromising one layer of keys does not affect others — a significant improvement over TLS 1.2's more ad-hoc PRF-based key derivation.
All lessons in this course
- TLS 1.3: 0-RTT, Early Data, and Session Resumption
- Mutual TLS (mTLS) Implementation Patterns
- Certificate Pinning in Mobile and Desktop Applications
- TLS Performance: QUIC and HTTP/3