Technical Deep-Dives

TLS 1.3 Explained: RFC 8446 + Handshake Walkthrough

TLS 1.3 in 2026: RFC 8446 explained, 1-RTT handshake, HKDF key derivation, 0-RTT resumption, encrypted certificates, ECH. Modern protocol standard.

RG&T
Rathnakara GN & Theertha
Cybersecify
9 min read

Article 3 of 6: Understanding TLS Security Series

TLS 1.3, finalized in August 2018 (RFC 8446), is a fundamental redesign of the protocol. It removes decades of accumulated security debt while improving both performance and privacy.

This article covers the streamlined 1-RTT handshake, HKDF key derivation, removed legacy features, 0-RTT resumption, Encrypted Client Hello (ECH), and post-quantum key exchange.

Key findings

  • TLS 1.3 (RFC 8446) was finalized in August 2018 as a fundamental redesign of the protocol. It is not an incremental upgrade over TLS 1.2; it removes decades of accumulated security debt while improving performance.
  • 1-RTT handshake is the default for new connections. The client sends its ECDHE key share speculatively in the first message, allowing encryption to start after one round trip instead of two. 0-RTT resumption is available for returning clients but carries replay risk and should be restricted to idempotent requests.
  • Forward secrecy is mandatory in TLS 1.3, always via ECDHE. Static RSA key exchange is removed, eliminating the “key compromise decrypts all past traffic” failure mode.
  • The certificate is encrypted during the TLS 1.3 handshake. Passive network observers cannot see which certificate was presented, only the server IP and (without ECH) the SNI hostname in Client Hello.
  • HKDF (HMAC-based Key Derivation Function, RFC 5869) replaced the TLS 1.2 PRF. HKDF is built on standard HMAC primitives, has been formally verified, and uses a three-stage key schedule (Early Secret, Handshake Secret, Master Secret) that prevents key reuse across derivation stages.
  • Only 5 cipher suites exist in TLS 1.3, all AEAD. TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_CCM_SHA256, TLS_AES_128_CCM_8_SHA256. No weak options possible. Key exchange and authentication are negotiated separately via extensions, not embedded in the cipher suite name.
  • Removed legacy features eliminate entire attack categories: RSA key exchange (no forward secrecy), CBC ciphers (POODLE, Lucky13, BEAST), RC4 (keystream biases), 3DES (Sweet32), MD5/SHA-1 signatures (SHAttered collision), compression (CRIME/BREACH), renegotiation, static DH/ECDH, and custom DH groups (Logjam).
  • Encrypted Client Hello (ECH) hides SNI from passive observers by encrypting the entire Client Hello. Requires DNS-over-HTTPS (DoH) for full privacy. Enabled by default on Cloudflare, supported by Chrome (since 2023) and Firefox.
  • Hybrid post-quantum key exchange (X25519MLKEM768 or X25519Kyber768) combines classical X25519 with ML-KEM, providing security against both classical and quantum attackers. Already deployed at Cloudflare and Google scale.

Cybersecify is a founder-led penetration testing firm based in Bengaluru, India, serving AI-first and API-first SaaS startups. We provide pentest and security consulting for SaaS startups, and we validate TLS configuration (including TLS 1.3 enforcement, forward secrecy, cipher suite hygiene, ECH support, and post-quantum readiness) during our Web Application Pentest and IoT Pentest engagements. See a redacted sample report for the structure of findings we deliver.

TLS 1.3 vs TLS 1.2 Comparison

FeatureTLS 1.2TLS 1.3
Handshake RTT2-RTT1-RTT (0-RTT resume)
Forward SecrecyOptional (ECDHE)Mandatory
Certificate PrivacyPlaintext (visible)Encrypted (hidden)
Cipher Suites37+ (many weak)5 (all AEAD)
Key DerivationPRFHKDF
RSA Key ExchangeSupportedRemoved
CBC CiphersSupportedRemoved

1. TLS 1.3 Handshake (1-RTT)

Theory: How It Works

The key innovation: the client sends its key share speculatively in the first message, allowing encryption after just one round trip.

CLIENT                                          SERVER
  |                                               |
  |  1. Client Hello + Key Share                  |
  |  ──────────────────────────────────────────►   |
  |  TLS 1.3, ciphers, ECDHE public key           |
  |                                               |
  |              2. Server Hello + Key Share       |
  |  ◄──────────────────────────────────────────   |
  |  Selected cipher, server ECDHE key             |
  |                                               |
  |  ═══════ ENCRYPTION STARTS ═══════            |
  |                                               |
  |              3. Encrypted Extensions           |
  |  ◄──────────────────────────────────────────   |
  |  Additional parameters (encrypted)             |
  |                                               |
  |              4. Certificate (ENCRYPTED!)       |
  |  ◄──────────────────────────────────────────   |
  |  Hidden from observers!                        |
  |                                               |
  |              5. Certificate Verify             |
  |  ◄──────────────────────────────────────────   |
  |  Signature over transcript                     |
  |                                               |
  |              6. Server Finished                |
  |  ◄──────────────────────────────────────────   |
  |  MAC over handshake                            |
  |                                               |
  |  7. Client Finished                           |
  |  ──────────────────────────────────────────►   |
  |  Handshake complete                            |
  |                                               |
  |  Application Data (Encrypted)                 |
  |  ◄────────────────────────────────────────►   |

              Total: 1 Round Trip (1-RTT), 50% Faster!

Key Differences from TLS 1.2:

  • Certificate is ENCRYPTED, so observers cannot see the destination
  • Key share sent speculatively, saving one round trip
  • No Change Cipher Spec message, resulting in a cleaner protocol
  • Encryption starts immediately after Server Hello

Practical: Real-World Implementation

# Force TLS 1.3
openssl s_client -connect example.com:443 -tls1_3

# Show TLS 1.3 cipher suites
openssl ciphers -v -tls1_3

# Verify TLS 1.3 support
openssl s_client -connect example.com:443 2>&1 | grep Protocol

Wireshark Visibility Comparison:

PacketTLS 1.2TLS 1.3
Client HelloVisibleVisible
Server HelloVisibleVisible
CertificateVISIBLEENCRYPTED
Server Key ExchangeVisibleN/A
Application DataEncryptedEncrypted

Reality: Security Risks

IssueImpactSolution
SNI VisibleServer name in Client Hello plaintextEncrypted Client Hello (ECH)
Middlebox IssuesSome firewalls break TLS 1.3Middlebox compatibility mode
Legacy ClientsOld browsers lack supportEnable TLS 1.2 fallback

2. Key Derivation (HKDF)

Theory: How It Works

TLS 1.3 uses HKDF (HMAC-based Key Derivation Function) instead of PRF, providing cleaner cryptographic separation.

HKDF Key Schedule:

Stage 1 - Early Secret (0-RTT):
  Early Secret = HKDF-Extract(salt=0, PSK or 0)

Stage 2 - Handshake Secret:
  Handshake Secret = HKDF-Extract(derived, ECDHE_secret)

Stage 3 - Master Secret:
  Master Secret = HKDF-Extract(derived, 0)
FunctionPurpose
HKDF-ExtractCombines salt + input key material into PRK
HKDF-ExpandDerives multiple keys from single secret
Derive-SecretTLS 1.3 wrapper with transcript hash

HKDF in TLS 1.3 has been formally verified. The key schedule design prevents key reuse across derivation stages, eliminating entire classes of attacks.

3. 0-RTT Resumption

Theory: How It Works

0-RTT allows returning clients to send encrypted data in the first message, before the handshake completes.

How It Works:

  1. First connection: Normal 1-RTT, server issues session ticket
  2. Subsequent: Client sends ticket + early data in first message
  3. Server decrypts early data using PSK from ticket

Practical: Real-World Implementation

Enable 0-RTT (Nginx):

ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;

Reality: Security Risks

RiskImpactMitigation
Replay AttackAttacker replays 0-RTT dataOnly send idempotent requests (GET)
No Forward SecrecyEarly data encrypted with PSK onlyUse single-use session tickets
Double SubmitNon-idempotent action runs twiceServer-side replay detection

4. Removed Legacy Features

TLS 1.3 removes all weak and problematic features from previous versions:

Removed FeatureWhy Removed
RSA Key ExchangeNo forward secrecy; key compromise decrypts all past traffic
CBC Cipher SuitesPadding oracle attacks (POODLE, Lucky13, BEAST)
RC4Cryptographically broken, with biases in keystream
3DES64-bit block vulnerable to Sweet32 birthday attack
MD5/SHA-1 signaturesCollision attacks (SHAttered)
CompressionCRIME/BREACH attacks leak secrets
RenegotiationComplex, enabled various attacks
Static DH/ECDHNo forward secrecy
Custom DH groupsWeak groups (Logjam attack)

By removing these features, TLS 1.3 eliminates entire attack categories. There are no known practical attacks against properly implemented TLS 1.3.

5. TLS 1.3 Cipher Suites

TLS 1.3 has only 5 cipher suites, all AEAD, all secure. No configuration mistakes possible.

Cipher SuiteRecommendation
TLS_AES_256_GCM_SHA384RECOMMENDED, highest security
TLS_AES_128_GCM_SHA256RECOMMENDED, good balance
TLS_CHACHA20_POLY1305_SHA256RECOMMENDED, fast on mobile
TLS_AES_128_CCM_SHA256OK, constrained IoT devices
TLS_AES_128_CCM_8_SHA256OK, very constrained devices

Key exchange (ECDHE) and authentication (RSA/ECDSA) are negotiated separately via extensions, not in the cipher suite name. All TLS 1.3 cipher suites are secure, so you cannot make a bad choice.

6. Encrypted Client Hello (ECH)

Theory: How It Works

ECH encrypts the entire Client Hello, including SNI (Server Name Indication). This hides which website you’re connecting to from network observers.

Privacy Comparison:

MetadataTLS 1.3 (no ECH)TLS 1.3 + ECH
Server IPVisibleVisible
SNI (domain name)Visible in Client HelloENCRYPTED
CertificateEncryptedEncrypted
Application DataEncryptedEncrypted

Practical: Real-World Implementation

# Check if server supports ECH
dig +short TYPE65 _https.example.com  # Look for 'ech=' parameter

# Enable ECH in Firefox (about:config)
# network.dns.echconfig.enabled = true

Reality: ECH Adoption 2026

PlatformECH Status
CloudflareECH enabled by default for all sites
ChromeECH supported since 2023
FirefoxECH enabled by default

ECH requires DNS-over-HTTPS (DoH) for full privacy.

7. Post-Quantum Key Exchange

Theory: How It Works

TLS 1.3 now supports hybrid post-quantum key exchange. The client and server perform both X25519 (classical) and ML-KEM (post-quantum) key exchanges, combining the results. This provides security against both classical and quantum attackers.

# Check for hybrid PQ key exchange in connection
openssl s_client -connect cloudflare.com:443 2>&1 | grep 'Server Temp Key'
# Look for: X25519MLKEM768 or X25519Kyber768

8. Wireshark Packet Analysis

TLS 1.3 with Self-Signed Certificate

  • Wireshark Filter: tls.handshake.type == 1 || tls.handshake.type == 2 || tls.record.content_type == 23
  • Visible Packets: Client Hello, Server Hello, Application Data…
  • Certificate Details: NOT VISIBLE. Certificate is encrypted inside Application Data packets
  • Browser Behavior: Security warning shown (self-signed) but attacker cannot see which site

Key Observations:

  • No Certificate packet visible after Server Hello
  • Only “Application Data” packets (encrypted content)
  • Expand Client Hello to see supported_versions with TLS 1.3 (0x0304)
  • Passive observer cannot determine server identity from certificate

TLS 1.3 with CA-Issued Certificate

  • Visible Packets: Client Hello, Server Hello, Application Data (encrypted)
  • Certificate Details: NOT VISIBLE. Only SNI (server_name) in Client Hello reveals destination
  • Browser Behavior: Padlock icon shown, fully trusted and private connection

9. Technical Comparison Matrix

ScenarioCert Visible?Trusted?SpeedSecurity
TLS 1.2 + Self-SignedYesNoMediumModerate
TLS 1.2 + CA CertYesYesMediumHigh
TLS 1.3 + Self-SignedNoNoFastHigh*
TLS 1.3 + CA CertNoYesFastestHIGHEST

*High encryption but no trust verification without CA certificate

Key Takeaways

  • 1-RTT handshake (0-RTT for resumption), 50% faster
  • Forward secrecy is mandatory, always ECDHE
  • Certificate is encrypted, improving privacy
  • Only 5 AEAD cipher suites with no weak options
  • HKDF key derivation: cleaner and formally verified
  • 0-RTT has replay risk, so use it carefully
  • ECH hides SNI for complete privacy
  • Hybrid PQ (X25519 + ML-KEM) for quantum resistance
  • TLS 1.3 + CA certificate = HIGHEST security

Previous: Article 2: TLS 1.2 Deep Dive

Next: Article 4: TLS Attacks & Vulnerabilities

This is part of our 6-article series on Understanding TLS Security.

Related reading:

Not sure if your TLS 1.3 migration is complete? We validate TLS configuration during our Web Application Pentest and IoT Pentest engagements. Get a free security snapshot to check what’s exposed, or view pricing.

Frequently Asked Questions

Does TLS 1.3 use HKDF?

Yes. TLS 1.3 uses HKDF (HMAC-based Key Derivation Function, RFC 5869) as its sole key derivation mechanism, replacing the PRF used in TLS 1.2. HKDF is used in two stages: HKDF-Extract pulls entropy from the shared secret, and HKDF-Expand derives the application traffic keys, finished MAC keys, and exporter keys. The TLS 1.3 key schedule uses three derivation stages (Early Secret, Handshake Secret, Master Secret) that prevent key reuse across stages, eliminating entire classes of attacks. HKDF in TLS 1.3 has been formally verified, which is one reason the protocol is considered structurally stronger than TLS 1.2 even before accounting for removed legacy features.

What replaced PRF in TLS 1.3?

TLS 1.3 replaced the TLS 1.2 PRF (Pseudo-Random Function) with HKDF (HMAC-based Key Derivation Function). HKDF provides stronger security guarantees and is built on standard HMAC primitives, making formal analysis easier. The PRF in TLS 1.2 mixed a single secret across multiple key derivation outputs and lacked the clean cryptographic separation HKDF provides. HKDF in TLS 1.3 uses a three-stage key schedule with explicit derivation labels (HKDF-Extract for entropy combination, HKDF-Expand for key material generation, Derive-Secret as the TLS 1.3 wrapper that includes the transcript hash). The replacement is one of the structural reasons TLS 1.3 has no known practical attacks against properly implemented deployments.

Is the TLS 1.3 handshake 1-RTT?

Yes. TLS 1.3 uses 1-RTT for new connections by sending the client key share speculatively in the first message. The client guesses the server's preferred ECDHE group, ships its public key in Client Hello, and the server responds with its own key share in Server Hello, completing the key agreement in one round trip. Resumed sessions can use 0-RTT, where the client sends encrypted application data in the very first message based on a previously established session ticket. 0-RTT carries replay risk and should be restricted to idempotent requests (GET, not POST). The 1-RTT default is approximately 50 percent faster than the 2-RTT TLS 1.2 handshake.

What was removed from TLS 1.3 compared to TLS 1.2?

TLS 1.3 removed every weak and problematic feature accumulated over TLS 1.0, 1.1, and 1.2. Specifically: RSA key exchange (no forward secrecy; key compromise decrypts all past traffic), CBC cipher suites (vulnerable to POODLE, Lucky13, BEAST padding-oracle attacks), RC4 stream cipher (keystream biases), 3DES (Sweet32 birthday attack on 64-bit blocks), MD5 and SHA-1 signatures (SHAttered collision), compression (CRIME and BREACH attacks leak secrets), renegotiation (complex and enabled various attacks), static DH and ECDH (no forward secrecy), and custom DH groups (Logjam attack on weak groups). By removing these features, TLS 1.3 eliminates entire attack categories. There are no known practical attacks against properly implemented TLS 1.3 as of 2026.

Is forward secrecy mandatory in TLS 1.3?

Yes. Forward secrecy is mandatory in TLS 1.3 and always achieved via ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) key exchange. Static RSA key exchange, which had been the primary failure mode for forward secrecy in TLS 1.2, is removed entirely. The practical implication: even if the server's long-term private key is compromised in the future, an attacker who recorded encrypted traffic today cannot decrypt it. This eliminates the harvest-now-decrypt-later threat for classical adversaries. For quantum-capable adversaries, hybrid post-quantum key exchange (X25519MLKEM768 or X25519Kyber768) extends the same forward-secrecy property against future quantum attackers and is already deployed at Cloudflare and Google scale.

What is Encrypted Client Hello (ECH) and why does it matter?

Encrypted Client Hello (ECH) encrypts the entire Client Hello message, including the SNI (Server Name Indication) field that previously leaked the destination hostname even on TLS 1.3. Without ECH, a passive network observer can see the server IP and the SNI hostname, learning which website you are visiting even though the certificate and application data are encrypted. With ECH plus DNS-over-HTTPS (DoH), the observer sees only an opaque server IP. Cloudflare enables ECH by default for all sites. Chrome has supported ECH since 2023. Firefox enables it by default. For SaaS startups concerned about network-level traffic analysis or geographic censorship of users, ECH is the most impactful privacy upgrade on top of TLS 1.3.

Is 0-RTT in TLS 1.3 safe to use?

Conditionally safe. 0-RTT lets a returning client send encrypted application data in the very first message based on a previously established session ticket, saving one round trip. The trade-off is replay risk: an attacker who captures the 0-RTT data can replay it, causing the server to execute the same request again. The mitigation is to restrict 0-RTT to idempotent requests (GET requests that have no side effects). Never use 0-RTT for POST, payment processing, state-changing API calls, or anything where running twice causes harm. Additionally, use single-use session tickets and server-side replay detection. Most production deployments either disable 0-RTT entirely or restrict it to a curated allow-list of idempotent paths.

How many cipher suites does TLS 1.3 have?

Only 5, all AEAD (Authenticated Encryption with Associated Data), all secure: TLS_AES_256_GCM_SHA384 (highest security), TLS_AES_128_GCM_SHA256 (good balance), TLS_CHACHA20_POLY1305_SHA256 (fast on mobile without AES hardware), TLS_AES_128_CCM_SHA256 (constrained IoT), and TLS_AES_128_CCM_8_SHA256 (very constrained devices). No weak options are possible. Key exchange (ECDHE) and authentication (RSA, ECDSA) are negotiated separately via extensions, not embedded in the cipher suite name as they were in TLS 1.2. This is a dramatic reduction from the 37+ cipher suites of TLS 1.2, many of which were weak. The design intent: you cannot make a bad cipher choice in TLS 1.3.

What is hybrid post-quantum key exchange in TLS 1.3?

Hybrid post-quantum key exchange combines classical X25519 (elliptic-curve Diffie-Hellman) with ML-KEM (Module-Lattice Key Encapsulation Mechanism, formerly known as Kyber and standardized as NIST FIPS 203). The combined construction is named X25519MLKEM768 or X25519Kyber768 in TLS implementations. The hybrid provides security against both classical attackers (via X25519) and future quantum attackers (via ML-KEM). Cloudflare and Google have already deployed hybrid post-quantum key exchange to production at scale. For SaaS startups, the practical step is to ensure your TLS termination layer (Cloudflare, AWS ALB, Nginx with OpenSSL 3.5+) supports the hybrid suites and to enable them, especially for long-lived sensitive data where harvest-now-decrypt-later is a realistic threat.

Should I disable TLS 1.2 and only allow TLS 1.3?

Mostly yes, with one caveat. As of 2026, all modern browsers (Chrome 70+, Firefox 63+, Safari 12.1+, Edge 79+) support TLS 1.3. Legacy clients (old Android, very old corporate Windows, embedded devices) may still require TLS 1.2. For consumer SaaS targeting modern web users, TLS 1.3-only is safe and reduces attack surface. For B2B SaaS with enterprise customers who may run older corporate proxies or middleboxes that interfere with TLS 1.3, keep TLS 1.2 enabled with hardened cipher suites (ECDHE + AEAD only, no CBC, no RC4, no 3DES). For IoT and embedded devices, TLS 1.2 is often still required. Cybersecify validates TLS 1.3 enforcement and cipher hygiene during [Web Application Pentest](/services/web-application-pentest/) and [IoT Pentest](/services/iot-pentest/) engagements.

Got a question or counter-take?

Email contact@cybersecify.com, WhatsApp +91 9986 998 333, or DM Rathnakara GN on LinkedIn.

Share this article
TLSTLS 1.3ECHpost-quantumHKDF0-RTTforward secrecyAEAD