RFC 8446 Quiz

**Explanation:** **Terms:** forward secrecy, ephemeral key exchange. Forward secrecy means compromising long-term keys later does not decrypt past sessions. **Correct (C):** TLS 1.3 is built around ephemeral (EC)DHE and PSK modes that provide strong security properties. **Options:** - A (incorrect): Static RSA key exchange is removed in TLS 1.3. - B (incorrect): TLS is designed to protect confidentiality and integrity. Plaintext application data is contrary to its purpose. - C (correct): Forward secrecy is a core property. **Related:** Forward secrecy is especially important when traffic is recorded for later decryption attempts.

**Explanation:** **Terms:** 0-RTT, early data, replay. 0-RTT allows sending application data before handshake completion, which changes threat assumptions. **Correct (A):** Early data can be replayed in some situations, so servers and applications must treat it carefully. **Options:** - A (correct): Replay is the main risk. - B (incorrect): Certificate expiration is unrelated to 0-RTT. - C (incorrect): This is backwards. 0-RTT has weaker properties in the replay dimension. **Related:** A common policy is to accept 0-RTT only for idempotent operations.

**Explanation:** **Terms:** key schedule, HKDF. A key schedule defines how traffic keys and secrets evolve as the handshake progresses. **Correct (B):** TLS 1.3 uses an HKDF-based key schedule to derive multiple secrets for different stages and directions. **Options:** - A (incorrect): Base64 is an encoding, not a key derivation method. - B (correct): HKDF is the standard KDF used for TLS 1.3 secrets. - C (incorrect): TLS rotates secrets as the handshake advances and uses separate keys per direction. **Related:** Separating handshake and application traffic secrets helps limit damage if something leaks.

**Explanation:** **Terms:** handshake traffic keys, encryption. TLS 1.3 encrypts much more of the handshake than earlier versions. **Correct (C):** Once the endpoints have negotiated secrets, subsequent handshake messages are protected. **Options:** - A (incorrect): TLS 1.3 intentionally reduces plaintext handshake exposure. - B (incorrect): Compression is not the primary mechanism here. - C (correct): Handshake messages are encrypted. **Related:** Encrypted handshake improves privacy and reduces ossification pressure.

**Explanation:** **Terms:** confidentiality, integrity, replay. TLS is a security protocol that protects traffic against eavesdropping and modification. **Correct (A):** TLS provides encryption and message authentication to protect data in transit. **Options:** - A (correct): These are baseline protections. - B (incorrect): TLS does not decide application authorization logic. - C (incorrect): Some modes like early data have replay considerations that applications must address. **Related:** Authentication of the server is typically provided by certificates, but trust decisions remain an application and policy concern.

**Explanation:** **Terms:** DHE, ECDHE, forward secrecy. These are Diffie-Hellman based ephemeral key exchanges. **Correct:** DHE or ECDHE. Both represent ephemeral DH variants used for forward secrecy. **Why others are wrong:** Static RSA key exchange is removed in TLS 1.3. PSK is different: it can resume sessions, but forward secrecy depends on additional mechanisms. **Related:** The key exchange choice impacts performance and cryptographic agility.