A couple pointers for getting started: 1. Check out Dowling et al.'s recent analysis. Published a month or so ago, it's the most recent proof of security of the full handshake (also includes PSK modes): https://eprint.iacr.org/2020/1044 2. Check out Paterson and van der Merwe's survey of the body of papers that helped to shape TLS 1.3. It also overviews the myriad attacks against TLS 1.2 and below that catalyzed a more proactive design approach for 1.3: https://link.springer.com/chapter/10.1007/978-3-319-49100-4_7
If you're unable to download the second (2.), the same paper appears in a slightly different form in van der Merwe's PhD thesis. No analysis is perfect, but so far, 1.3 appears to be far superior to 1.0-1.2. Best, Chris P.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
