Bye-bye Three-way Handshake, and Hello to 0-RTT
But, beware of the Replay Attack
And, so, today, OpenSSL 3.5.0 was released, and which supports a range of PQC methods and 0-RTT [here]:
Overall, we have stuck with the 3-way handshake for many decades, and it is now seen as too slow in a modern “always-on, always-connected” world. In a normal Web connection, the client sends a SYN TCP request, the server then replies with a TCP SYN/ACK, and then the client sends back an ACK. This obviously slows down the connection, and where we might close a connection, and want it opened up again in a short interval. In fact, HTTP was meant to be stateless, and where we disconnect after a connection is made. Most browsers overcome this with a keep-alive packet.
But all of this will change with 0-RTT (Zero Round Trip Time) and which is integrated into TLS 1.3. This will allow a client to immediately reconnect without the requirement for the three-way handshake. Basically, it allows data to be sent by a client without waiting for the server to respond. With this, the client connects to a server for the first time and does a full TCP 3-way handshake. This handshake also contains cryptographic session information that defines a session ticket. This ticket can then be used by the client to connect to the server at some time in the future. Overall, the server does not have to respond before the client can send data with the ticket. The server can then decide whether it wants to respond to the ticket information.
Normally, there would be a negotiation of the cyphers that are used, such as for the key exchange method, the symmetric key method and the digital signature method. For this, the client sends a Client Hello with the ciphers it would like to use, and the server responds with a Server Hello on the cipher it picks:
With a 0-RTT approach, the client does not have to wait for the server to authenticate itself using a PSK (Pre-shared-key) extension, as agreed upon before the session. The client can then send data at any time without using the three-way handshake or authentication. The client thus has to remember one key per server, but the server will have to remember the PSKs for all the clients that connect to it. If the server forgets the PSK, the client can request a new session ticket.
Unfortunately, there are hacks for this, and the client does not check the certificate of the server it is connecting to, and also for replay attacks. This is defined in the TLS 1.3 specification [here]:
A basic attack is where a client sends a 0-RTT message to Server A. This message is then copied by Eve, and who sends it to both Server A and Server B. Server A will accept it, but Server B will request a full handshake with the client. The client then resends the message to B, and will thus allow for a replay of the message for Server A to Server B —and thus a replay attack.
Overall, we are typically moving away from TCP-type communications and towards the UDP-based QUIC protocol [here]:
0-RTT fits in well with the QUIC protocol, and which is supported in TLS 1.3.