Should a certificate message of a server be encypted in TLS 1.3?

LUN

5/9/24, 6:50 PM

Section 2 of RFC 8446 says about the phase "Key Exchange": … Everything after this phase is encrypted.

The "Certificate" message is sent after "Key exchange" as the scheme in that section shows. So it seems to be encrypted.

I am confused that I haven't found a mention of certificate encrypting in the "Certificate" section 4.4.2.

Could you explain to me - Should the certificate be encrypted and (if it should) which cipher must be used -

the cipher in ciphersuite which server had sent to the client as agreed ciphersuite or
any other?

1 + 0

Score:2

Crypto

poncho

5/9/24, 7:45 PM

The "Certificate" message is sent after "Key exchange" as the scheme in that section shows. So it seems to be encrypted.

It is.

I am confused that I haven't found a mention on certificate encrypting in the "Certificate" section 4.4.2.

Well, it's after the key exchange, and so of course it's encrypted; it was assumed that when they said 'everything after the key exchange is encrypted', that was implied.

Could you explain me ... which cipher must be used - (1) the cipher in ciphersuite which server had sent to the client as agreed ciphersuite

The ciphersuite that was negotiated (and using the keys that were derived from the key exchange).

Background: a major goal of TLS 1.3 was anonymity; that is, to leak as little about the communicating parties as possible. Now, the identity of the server is in the certificate, and so of course it is encrypted.

+ 4

Maarten Bodewes

5/9/24, 8:58 PM

Quite often the identity of the server is of course not that important; an adversary can tell by looking at the IP that I am talking to amazon.com or not. However, if you connect to a embedded device in your home and an attacker can find out the firmware from the included certificate then that would be important information.

LUN

5/9/24, 9:05 PM

@poncho, as I know, there are two keys (secrets) - for handshake and for application data. So, which key server should use to encrypt the certificate ? Is it the handshake key ?

honzaik

5/10/24, 7:36 AM

@LUN see https://www.rfc-editor.org/rfc/rfc8446#section-4.4 and https://www.rfc-editor.org/rfc/rfc8446#section-7.1 Unless I am reading it wrong, the server encrypts the Certificate using "server_handshake_traffic_secret"

poncho

5/10/24, 3:03 PM

@LUN: Figure 1 of RFC 8446 clearly shows that it is the handshake key

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Should a certificate message of a server be encypted in TLS 1.3?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.