Line 159: |
Line 159: |
| * All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers. | | * All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers. |
| * The key derivation functions have been re-designed. The new design allows easier analysis by cryptographers due to their improved key separation properties. The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is used as an underlying primitive. | | * The key derivation functions have been re-designed. The new design allows easier analysis by cryptographers due to their improved key separation properties. The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is used as an underlying primitive. |
− | * The handshake state machine has been significantly restructured to be more consistent and to remove superfluous messages such as ChangeCipherSpec (except when needed for middlebox compatibility).
| |
| * Elliptic curve algorithms are now in the base spec and new signature algorithms. Recommended curve algorithms are found in the table below. | | * Elliptic curve algorithms are now in the base spec and new signature algorithms. Recommended curve algorithms are found in the table below. |
| * The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation. | | * The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation. |
− | * Session resumption with and without server-side state as well as the Pre-Shared Key (PSK)-based cipher suites of earlier TLS versions have been replaced by a single new PSK exchange. | + | * Session resumption with and without server-side state as well as the Pre-Shared Key (PSK)-based cipher suites of earlier TLS versions have been replaced by a single new PSK exchange. Where non-PSK |
| * Updated references to point to the updated versions of RFCs, as appropriate (e.g., RFC 5280 rather than RFC 3280). | | * Updated references to point to the updated versions of RFCs, as appropriate (e.g., RFC 5280 rather than RFC 3280). |
| <br /> | | <br /> |
Line 191: |
Line 190: |
| {| class="wikitable" | | {| class="wikitable" |
| |- | | |- |
− | ! Recommended TLS 1.3 Signature Algorithms | + | ! Recommended TLS 1.3 Signature Algorithms |
| |- | | |- |
| | ecdsa_secp256r1_sha256 | | | ecdsa_secp256r1_sha256 |
Line 205: |
Line 204: |
| | rsa_pss_pss_sha512 | | | rsa_pss_pss_sha512 |
| |- | | |- |
− | | rsa_pss_rsae_sha256 | + | | rsa_pss_rsae_sha256 |
| |- | | |- |
| | rsa_pss_rsae_sha384 | | | rsa_pss_rsae_sha384 |
| |- | | |- |
− | | rsa_pss_rsae_sha512 | + | | rsa_pss_rsae_sha512 |
| |- | | |- |
| | rsa_pkcs1_sha256 | | | rsa_pkcs1_sha256 |