A Deep Dive Into TLS 1.3 Encryption
Most internet users are familiar with the term encryption or encrypted connection. Some form of encrypted connection has been around almost since the birth of the internet and encryption methods are continuing to evolve over time. The latest and the most advanced version of encryption is TLS 1.3, which was introduced on 21 March 2018.
Let’s take a look at TLS 1.3 and its evolution, as well as a short history of encrypted connections.
Here’s what we’ll be discussing in this post:
- What is an Encrypted Connection?
- What is the Purpose of Encrypted Connections?
- Symmetric vs. Asymmetric Encryption
- The Problems of Data Encryption
- TLS vs. SSL
- Advantages of TLS 1.3
What is an Encrypted Connection?
A connection encryption protocol is a set of rules that secure data exchanges between a client and web server. After the secure connection is established, third-parties can no longer intercept or eavesdrop the stream of data between the client and server. However, encryption does have its flaws, primarily around security and speed. Often the more secure an encryption, the slower the download speeds. This is why developers keep improving and introducing new encryption protocols.
With the concern of security, some protocols may become bulky and increase latency, creating a slow down in download times noticeable by humans.
What’s the Purpose of Encrypted Connections?
If you were visiting a fashion blog, you would be safe using an unencrypted transmission since the only personal information at risk would be the fact that you were interested in fashion. However, if you were to then purchase a pair of shoes through the fashion blog, you’d be sending private personal data to the server, which could include your credit card number, bank account information, and other personal details. In this scenario, your personal data would be at risk.
Today, 81% of all internet has some form of encryption.There are two main purposes for encryption.
1- Security:
When a secure transmission is established, the transmitted data is not accessible by an unintended third-party, such as a hacker. Even if a hacker eavesdrops or hacks the connection and seizes the transmitted data, it will be extremely difficult to decipher. The encryption keys will be too long and complex for a hacker to unlock the encrypted data.
2- Authentication or Verification:
In cases involving credit card information or sensitive personal details, encryption allows the data to be verified at the endpoint of the data transmission, in order to check the data has been sent to the intended destination. However, without encryption, hackers can intercept the transmission and disguise themselves as the intended recipient. In this instance, the services or clients are tricked into sending their private data to malevolent third-parties willingly.
This is a simplistic example. In reality, personal computers or mobile devices holds a significant amount of personal information, some of which is transmitted to various servers. This is why it is important and necessary to encrypt the transmissions between servers and clients in order to protect your privacy. Otherwise, small bits and pieces of intercepted unencrypted data could be used by malevolent third-parties to seize your private data.
Symmetric vs. Asymmetric Encryption
What are symmetric and asymmetric encryptions?
In symmetric encryptions, a single encryption key is exchanged between the client and server. This encryption key is used by both sides for encrypting and decrypting the transmitted data. However, for both parties to use the encryption key, it must first be sent unencrypted. This makes the connection extremely insecure and susceptible to hacking.
In asymmetric encryptions, there are at least three encryption keys involved. One is a public encryption key used at the beginning of the transmission. This is called a partially secured transmission.
After the public keys are exchanged, the client and server create their own encryption keys, which are mathematically linked to the public key, and exchange these keys. These keys are then used with the public key for the rest of the transmission.
The client uses the server’s private key, and the server uses the client’s key to encrypt the data. The received data is then decrypted by their own private keys. This way even the sender is not able to decrypt the sent data — only the intended receiver is able to decrypt it.
This is why this method is called “asymmetric”, as different keys are used for both endpoints to encrypt and decrypt the data.
As you can see, symmetric and asymmetric encryption differs in the method used to deliver the encryption key. Asymmetric encryption is one of the main reasons why TLS 1.3 is far more secure than its predecessors.
The Problems with Data Encryption
Today, even banking and governmental operations can be conducted over the internet, which is why it’s crucial to encrypt data transmissions. Security protocols, certificates and data encryption have become an indispensable part of internet security. This is the reason why apps, web browsers and servers are eager to improve their encryption processes and comply with new internet security protocols.
The first problem with the encryption process is the processing power needed to conduct the operation. Constantly encrypting and decrypting data transmissions requires a certain amount of processing power. Today’s commercial CPUs, even the ones in mobile devices, can easily handle this problem since most have multiple processing cores and very high capabilities. While improvements in encryption have made these methods bulkier and caused noticeable connection latencies, these slowdowns have been mostly masked by data delivery improvements, such as BBR, BROTLI and HTTP2.
Another issue is the handshake process, which we’ll cover further in this post.
TLS vs. SSL
Both SSL and TLS are encryption protocols that provide authentication and data encryption between servers, machines and applications operating over a network (e.g. a client connecting to a web server). SSL is the predecessor to TLS. Over the years, new versions of the protocols have been released to address vulnerabilities and support stronger, more secure cypher suites and algorithms.
SSL was originally developed by Netscape and introduced in 1995 with SSL 2.0 ( SSL 1.0 underwent so many improvements that SSL 2.0 ended up being the first launch product). Even SSL 2.0 was upgraded to SSL 3.0 in 1996 after a number of vulnerabilities were found. These versions are sometimes referred to as SSLv2 and SSLv3.
In 1999, a new version of encryption was introduced based on SSL 3, which was named TLS. SSL 3.0 had so many flaws and vulnerabilities that it was deemed insecure by the Internet Engineering Task Force. (IETF)
IETF is an open standards organisation. It develops and promotes voluntary internet standards, in particular, the standards that comprise the Internet protocol suite (TCP/IP).
Today, most people may recognize the term Secure Sockets Layer (SSL) and some may use it interchangeably with TLS. In reality, SSL was the first encryption method introduced by (now defunct) Netscape and is the predecessor to TLS.
There is also a difference between an encryption certificate and an encryption protocol. SSL certificates are still valid and widely used. This, along with the above fact, is considered to be the reason why most people use the terms interchangeably.
TLS 1.3 and Its Advantages
TLS 1.3 was finalised after 28 drafts on March 21, 2018. The final version of TLS 1.3 is defined in RFC 8446.
The New Handshake Process of TLS 1.3
The term “handshake” refers to the client and the server’s process of hailing each other. The previous versions of TLS had a long handshake process with many round trips. These round trips were necessary just to start the encryption process. The number of round trips increased the latency and extended the period of unencrypted data transmission between the server and the client, which opened a window of opportunity for hackers.
TLS 1.3 decreases the process to only one roundtrip. After a single round trip, the encrypted transmission starts. This is beneficial for security because the encrypted protocol starts sooner and provides obvious speed advantages. This process is called a zero round trip time (0-RTT).
TLS 1.3 achieves this by starting an encrypted transmission containing all the data, including possible ciphering methods, key shares etc. After the client sends all the compatible methods, the servers pick one of the compatible encryption methods. It then sends a “handshake finished” message containing the signed encryption certificate and preferred encryption method. At this point, the encrypted transmission starts.
Eliminating Legacy Codes in TLS 1.3
In computer technology, “legacy” simply refers to older hardware or software. Previous versions of TLS had many legacy codes parts, which were the source of many vulnerabilities. In TLS 1.3, all legacy codes were removed simply eliminating the vulnerabilities come with them. As a result, unlike most previous versions of TLS, TLS 1.3 is not backwards compatible.
Solving Zero Round Trip Time (0-RTT) Problems
Zero round trip time quickens the connection but may leave the client or the server susceptible to attacks, especially in cases of discontinued connections. In the case of discontinued connections, the client sends all the data and previous preferred encryption methods preemptively during the connection establishing request. It is possible for an attacker to mimic the request data and establish a connection disguised as a specific user.
TLS 1.3 eliminates these problems by simply making it the server’s responsibility to check the authenticity of a user. Servers do this by allocating session tickets. Session tickets are sent by the server to the client and are encrypted by a key, which is stored at the server. The ticket cannot even be decrypted by the client — only by the server that provided the ticket. The ticket includes critical data such as sequence numbers. This way, the server can validate the authenticity of the user and continue the transmission.
TLS 1.3: More Robust Encryption Keys
The whole encryption process of TLS 1.3 is more complex and secure than its predecessors While processing the encrypted transmissions create extra workload for processors, the keys themselves have a minimal effect on the amount of encryption work. This makes it virtually impossible for a hacker to “break” the encryption code.
Speed Advantages of TLS 1.3
This efficient handshake is only possible due to the removal of TLS 1.2 legacy features.l. TLS 1.3 has the additional advantage where users can send data on the first message to the server for recently visited sites. Thanks to the zero round trip feature (0-RTT), this results in even faster load times. Speed improvements of TLS 1.3 will be more noticeable in mobile devices.
Conclusion
TLS 1.3 is significantly faster and more secure compared to its previous versions. It completely eliminates the previous security vulnerabilities and has seen very strong support from the online community.
Google has even announced a “no support date” for TLS 1.0 and it can be expected the same will happen to other older versions. The most widely used browsers, such as Chrome and Firefox, have already started supporting TLS 1.3.
It can be expected that Google will even place sites with no TLS 1.3 encryption lower in the Search Engine Results Page (SERP).
TLS 1.3’s speed and security advantages make it necessary for CDN clients to switch to a CDN provider, such as Medianova, which supports TLS 1.3 encryption. This allows companies to stay ahead of the times and ensure their online visitors and users are fully secure.