Paper 2019/347

Selfie: reflections on TLS 1.3 with PSK

Nir Drucker and Shay Gueron


TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed Pre Shared Key (PSK). This PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. We identify a security vulnerability in this TLS 1.3 path, by showing a new reflection attack that we call ``Selfie''. The Selfie attack breaks the mutual authentication. It leverages the fact that TLS does not mandate explicit authentication of the server and the client in every message. The paper explains the root cause of this TLS 1.3 vulnerability, demonstrates the Selfie attack on the TLS implementation of OpenSSL and proposes appropriate mitigation. The attack is surprising because it breaks some assumptions and uncovers an interesting gap in the existing TLS security proofs. We explain the gap in the model assumptions and subsequently in the security proofs. We also provide an enhanced Multi-Stage Key Exchange (MSKE) model that captures the additional required assumptions of TLS 1.3 in its current state. The resulting security claims in the case of external PSKs are accordingly different.

Available format(s)
Cryptographic protocols
Publication info
TLS 1.3Reflection attackNetwork securityMulti-Stage Key Exchange model
Contact author(s)
shay gueron @ gmail com
drucker nir @ gmail com
2019-04-05: revised
2019-04-03: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nir Drucker and Shay Gueron},
      title = {Selfie: reflections on TLS 1.3 with PSK},
      howpublished = {Cryptology ePrint Archive, Paper 2019/347},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.