Topic: Tls 1.3 PSK with ECDH

Hello! This is my first topic here and I am new to Tls. I am trying to make sure I understand the implications of what I have built.

I am working on a project where I have established a secure client-server connection using PSK. I am using this method because I do not have the infrastructure to store security certificates but I do have an authenticated service which can provide a PSK to Clients and Servers, before the Clients initiate connections to Servers.

I have been reading a lot online about Tls 1.3 and how it supports three basic key exchange modes:
-PSK only

Is this true? My understanding was that PSK only suffers from lack of forward secrecy - if no ephemeral shared key is generated, there is a vulnerability if the PSK is leaked. I thought that Tls 1.3 guarantees forward secrecy. I want to make sure my connections encrypt application data with ephemeral keys.

As explained in the documentation, I am building with --enable-psk and using:
wolfSSL_CTX_set_psk_client_callback() // Client

wolfSSL_CTX_set_psk_server_callback() // Server
wolfSSL_CTX_use_psk_identity_hint() // Server

The connection establishes fine and I see the chosen cipher to be TLS13-AES128-GCM-SHA256. I believe I am seeing the key exchange occur (I see 1RTT before handshake complete), but I'm wondering how I can know for sure


Re: Tls 1.3 PSK with ECDH

Hello Mike,

Yes, your understanding of PSK is correct.  I would recommend using PSK with ECDHE for this reason, if feasible.  TLS 1.3 does generally offer forward secrecy, but there are cases where you would want to use PSK only, so it is still offered despite not offering forward secrecy.

You can turn on debug logging in wolfSSL to confirm the key exchange and connection are being completed as expected by building wolfSSL with --enable-debug.  You could also capture a packet dump and open it with Wireshark to confirm everything being sent and received matches your expectations.

You may find our PSK examples and documentation here helpful: … master/psk