There are many benefits in changing to the newest version of the TLS specification.
One significant difference you will notice is the reduced number of round-trips when performing a full handshake. Older versions of the TLS protocol require two complete round-trips before the client sends the application data. With TLS v1.3, only one round-trip is required! Additionally, the server can send application data in response to the client’s first handshake message! This means network latency has less impact on the time required to establish a secure connection.
Another difference is the way session resumption works in TLS v1.3. Previous versions of TLS have the client send a session ID, which the server has to look up in its cache. If there was a match, then they used the same security parameters. This old way of doing things was a very simplistic mechanism that requires sharing of state on servers.
TLS v1.3 makes a significant improvement by re-purposing the ticketing system tacked onto older versions of TLS. The server sends the client a new session ticket after the handshake is complete. This ticket, a blob of data to the client, can be a database lookup key like the old session ID. Alternatively, it can be a self-encrypted and self-authenticated value that contains the data for the previous connection. This means the server can be stateless!
Finally, the specification has been evaluated by cryptographic experts in efforts to prove the security of the protocol. While no security proof is perfect, the previous attacks on renegotiation, protocol version downgrading, compression, CBC and padding have been mitigated and the protocol is more resistant to attack.
Differences Between TLS 1.2 and TLS 1.3
TLS 1.3 was defined in RFC 8446 in August 2018. TLS 1.3 contains improved security and speed. Major differences include the following:
- The list of supported symmetric algorithms has been pruned of all legacy algorithms. The remaining algorithms all use Authenticated Encryption with Associated Data (AEAD) algorithms.
- A zero-RTT (0-RTT) mode was added, saving a round-trip at connection setup for some application data at the cost of certain security properties.
- Static RSA and Diffie-Hellman cipher suites have been removed.
- All handshake messages after the ServerHello are now encrypted.
- Key derivation functions have been re-designed, with the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) being used as a primitive.
- The handshake state machine has been restructured to be more consistent and remove superfluous messages for greater efficiency.
- ECC is now in the base spec and includes new signature algorithms. Point format negotiation has been removed in favor of single point format for each curve.
- Compression, custom DHE groups, and DSA have been removed, RSA padding now uses PSS.
- The TLS 1.2 version negotiation verification mechanism was deprecated in favor of a version list in an extension.
- Session resumption with and without server-side state and the PSK-based cipher suites of earlier versions of TLS have been replaced by a single new PSK exchange.