The Extended Key Update extension for (D)TLS 1.3 is a draft proposal for a new key update mechanism. (D)TLS 1.3 lacks perfect forward secrecy (PFS) for long-lived sessions, leaving them vulnerable to key exfiltration attacks. The proposed Extended Key Update mechanism addresses this by incorporating minimal key exchanges during key updates. This safeguards connections by ensuring that even if session keys are compromised, past and future communications remain confidential.
This extension is ideal for environments where long uninterrupted secure connections are critical. By introducing PFS into key updates without requiring establishing new connections, it enhances security while maintaining availability. Its design also supports hybrid key exchanges, ensuring post-quantum readiness with a fallback to classical cryptography.
wolfSSL strives to provide the best security, and that is why we monitor new developments closely. If this extension is a feature you would be interested in, please write to us at facts@wolfSSL.com or call us at +1 425 245 8247.
Download wolfSSL Now