Paper 2019/421

Continuing to reflect on TLS 1.3 with external PSK

Liliya Akhmetzyanova, Evgeny Alekseev, Ekaterina Smyshlyaeva, and Alexandr Sokolov


The TLS protocol is the main cryptographic protocol of the Internet. The work on its current version, TLS 1.3, was completed in 2018. This version differs from the previous ones and has been developed taking into account all modern principles of constructing cryptographic protocols. At the same time, even when there are security proofs in some fairly strong security model, it is important to study the possibility of extending this model and then clarifying the security limits of the protocol. In this paper, we consider in detail the restriction on the usage of post-handshake authentication in connections established on external PSK. We clarify that the certain vulnerability appears only in the case of psk_ke mode if more than a single pair of entities can possess a single PSK. We provide several practical scenarios where this condition can be easily achieved. Also we propose appropriate mitigation.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
TLS 1.3pre-shared keypost-handshake authentication
Contact author(s)
lah @ cryptopro ru
alekseev @ cryptopro ru
2019-04-27: received
Short URL
Creative Commons Attribution


      author = {Liliya Akhmetzyanova and Evgeny Alekseev and Ekaterina Smyshlyaeva and Alexandr Sokolov},
      title = {Continuing to reflect on TLS 1.3 with external PSK},
      howpublished = {Cryptology ePrint Archive, Paper 2019/421},
      year = {2019},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.