Learn
0%
Build
0%

TLS 1.3 Basics

Learn about TLS 1.3, configure handshake parameters, and explore PQC migration trade-offs.

Before You Start

Prerequisites: Familiarity with public-key cryptography (asymmetric keys, digital signatures, certificates) and basic HTTPS concepts.

After completing this module, you will be able to:

  1. Explain the TLS 1.3 handshake and how it differs from TLS 1.2
  2. Compare overhead of classical, hybrid, and PQC TLS configurations quantitatively
  3. Configure a web server for hybrid PQC TLS key exchange

What is TLS 1.3?

1.3 (RFC 8446) is the latest version of the Transport Layer Security protocol, securing virtually all HTTPS traffic on the internet. It was a major overhaul from TLS 1.2, removing insecure legacy features and introducing mandatory , a faster 1-RTT handshake, and a dramatically simplified cipher suite list.

Removed
  • RSA key exchange (no forward secrecy)
  • CBC cipher modes
  • Renegotiation & compression
Added
  • Mandatory ECDHE forward secrecy
  • 0-RTT early data (optional) — vulnerable to replay attacks; servers must mitigate (RFC 8446 §8)
  • Encrypted handshake messages
Simplified
  • 5 cipher suites (vs hundreds in 1.2)
  • 1-RTT handshake (vs 2-RTT)
  • AEAD-only encryption

The TLS 1.3

The handshake establishes a secure connection in a single round trip. The client sends its supported parameters and a key share; the server responds with its choice and key share. After the ServerHello, all remaining handshake messages are encrypted using handshake traffic keys derived via .

💻
Client
🖥️
Server
ClientHello(mTLS)
+ key_share, supported_groups
ServerHello(mTLS)
+ key_share
Handshake keys derived
{EncryptedExtensions}(mTLS)
{CertificateRequest}(mTLS)
mTLS: server requests client cert
{Certificate}(mTLS)
Server identity
{CertificateVerify}(mTLS)
Signature proof
{Finished}(mTLS)
Server handshake MAC
{Certificate}(mTLS)
Client identity (mTLS)
{CertificateVerify}(mTLS)
Client signature (mTLS)
{Finished}(mTLS)
Client handshake MAC
Application Data(mTLS)
Encrypted with traffic keys

Explained

TLS 1.3 cipher suites only specify the symmetric encryption algorithm and hash — key exchange and authentication are negotiated separately. This is why there are only 5 suites compared to hundreds in TLS 1.2.

TLS_AES_256_GCM_SHA384 in GCM mode (AEAD) + SHA-384 for HKDF
TLS_AES_128_GCM_SHA256AES-128 in GCM mode (AEAD) + SHA-256 for HKDF
TLS_CHACHA20_POLY1305_SHA256 (AEAD) + SHA-256 — optimized for mobile/ARM
TLS_AES_128_CCM_SHA256AES-128 in CCM mode + SHA-256 — designed for constrained environments (IoT)
TLS_AES_128_CCM_8_SHA256AES-128 in CCM mode with 8-byte auth tag + SHA-256 — for highly constrained devices

Key Exchange: Classical, PQC, and Hybrid

TLS 1.3 uses ephemeral key exchange for every connection, ensuring forward secrecy. With post-quantum cryptography (PQC), three approaches are available:

Classical ()

, , . Fast and small (~32 byte keys). Vulnerable to quantum computers.

PQC ()

ML-KEM-512/768/1024. Quantum-resistant. Larger keys (~1.2 KB for ML-KEM-768) increase handshake size.

Hybrid

combines both. Already deployed in Chrome and Firefox. Secure even if one algorithm is broken.

Key Schedule (HKDF)

TLS 1.3 derives all session keys through a structured key schedule using HKDF (HMAC-based Key Derivation Function). The shared secret from key exchange feeds into a chain of Extract and Expand operations:

1.Early Secret — derived from PSK (or zero for full handshake)
2.Handshake Secret — derived from ECDHE/KEM shared secret → produces CLIENT_HANDSHAKE_TRAFFIC_SECRET and SERVER_HANDSHAKE_TRAFFIC_SECRET
3.Master Secret — produces CLIENT_TRAFFIC_SECRET_0 and SERVER_TRAFFIC_SECRET_0 for application data

These exact secrets are visible in the Simulate tab after running a handshake.

Session Resumption & PSK

After a successful handshake, the server issues a Pre-Shared Key (PSK) ticket. On reconnection, the client presents this PSK, which feeds into the Early Secret stage — enabling a faster resumed handshake and optionally 0-RTT early data. In a full handshake with no prior session, the PSK input is zero.

HelloRetryRequest (HRR)

If the server does not support any of the key exchange groups offered in the client's initial ClientHello, it responds with a HelloRetryRequest instead of a ServerHello. This tells the client to retry with a different key share. The result is a 2-RTT handshake instead of the standard 1-RTT.

When Does HRR Happen?
  • Client offers X25519 only, server requires ML-KEM
  • Client offers ML-KEM-768, server wants ML-KEM-1024
  • Client's key_share group doesn't match any server preference
PQC Migration Impact
  • During PQC rollout, mismatched groups are common
  • Hybrid groups (X25519MLKEM768) minimize HRR — classical clients still match X25519
  • HRR adds latency but never breaks the connection

In the simulator, try configuring the client with only ML-KEM-1024 and the server with only X25519 to observe a group negotiation mismatch.

Post-Quantum Cryptography in TLS

Quantum computers threaten classical key exchange (ECDH) through . The attack means adversaries can record encrypted traffic today and decrypt it once quantum computers are available. PQC integration into TLS addresses this by using KEMs (ML-KEM) and signatures ().

The trade-off: PQC algorithms have larger keys and ciphertexts, increasing handshake overhead. For example, ML-KEM-768 public keys are ~1,184 bytes vs 32 bytes for X25519. The hybrid approach (e.g., X25519MLKEM768) provides quantum resistance while maintaining classical security as a fallback.

SLH-DSA: Hash-Based Alternative (FIPS 205)

(formerly SPHINCS+) is a hash-based signature scheme standardized alongside ML-DSA. It relies on hash function security rather than lattice problems, providing cryptographic diversity— if lattices are broken, SLH-DSA remains secure. The trade-off is significantly larger signatures (~7.9 KB (7,856 B) for SLH-DSA-SHA2-128s vs ~2.4 KB for ML-DSA-44). Both are available in the simulator's signature algorithm options.

Scaling PQC for HTTPS

PQC signatures are significantly larger than classical ones — an ML-DSA certificate chain can add several kilobytes to every TLS handshake. For the web, where billions of connections happen daily, this overhead is a serious scalability concern. The ecosystem is deploying multiple mitigations.

TLS Certificate Compression (RFC 8879)

Already supported by major browsers, TLS certificate compression can reduce PQC certificate overhead by 30-60%. Certificates are compressed with Zlib or Brotli before transmission and decompressed by the peer. This is a practical short-term mitigation available today while more advanced solutions are being built.

Certificate Transparency (RFC 9162)

Certificate Transparency (CT) requires CAs to log all issued certificates in publicly auditable append-only logs. Browsers verify that certificates appear in CT logs, preventing misissued certificates from going undetected. Understanding CT is essential context for Merkle Tree Certificates, which leverage this same log infrastructure.

Merkle Tree Certificates (MTC)

Google's MTC program (announced February 2026) goes further than compression — it replaces entire certificate chains with compact Merkle proofs.

Problem: X.509 Certificate Chains

Traditional TLS uses a chain of X.509 certificates, each containing a public key and a signature from the issuing CA. With PQC signatures (~3.3 KB for ML-DSA-65), a typical 2-certificate chain adds ~7 KB+ to the handshake — a substantial bandwidth increase.

Solution: Merkle Tree Proofs

MTCs replace the serialized signature chain with a compact Merkle inclusion proof. A single CA-signed "Tree Head" represents potentially millions of certificates. Browsers receive a lightweight proof-of-inclusion rather than full certificate chains.

Deployment Roadmap

Phase 1 (Now)Feasibility testing with Cloudflare on live traffic; all MTC connections backed by traditional X.509 certificates as fallback
Phase 2 (Q1 2027)Inviting Certificate Transparency log operators to bootstrap public MTC infrastructure
Phase 3 (Q3 2027)Establishing Chrome Quantum-resistant Root Store (CQRS) with new requirements for MTC Certificate Authorities
Google Security Blog: Quantum-safe HTTPS

Encrypted Client Hello (ECH)

PQC protects the content of TLS connections from quantum attack, but the initial ClientHello — including the Server Name Indication (SNI) — is sent in plaintext, revealing which site a user is connecting to. Encrypted Client Hello (ECH) solves this by encrypting the ClientHello using a key published in DNS.

Major browsers are deploying ECH alongside hybrid PQC key exchange (X25519MLKEM768). Together, they protect both the metadata (who you connect to) and the content (what you exchange) against current and future adversaries.

Related Resources

VPN/IPsec & SSH
PQC in IKEv2, SSH, and WireGuard protocols
Algorithm Explorer
Compare key sizes, security levels & performance
OpenSSL Studio
Run PQC commands live in your browser
Threat Dashboard
Industry-specific quantum risks & PQC replacements
API Security & JWT
PQC tokens & OAuth 2.0 migration over TLS
5G Security
SUCI, 5G-AKA & PQC transport in mobile networks
Web Gateway PQC
PQC TLS termination at reverse proxies & CDNs
Network Security
NGFWs, TLS inspection & ZTNA with PQC cipher suites

Products shown here are a representative selection — not an exhaustive list. For the full vendor landscape with PQC readiness status, visit the Tools & Products tab in this module or browse the Migrate catalog →

Check off all sections and mark this reading done.

Learning module content can be inaccurate. Please double-check its information. Report inaccuracies in PQC Today GitHub Discussions.