TLS 1.3 allows two parties to establish a shared session key from an out-of-band agreed pre-shared key (PSK). The PSK is used to mutually authenticate the parties, under the assumption that it is not shared with others. This allows the parties to skip the certificate verification steps, saving bandwidth, communication rounds, and latency. In this paper, we identify a vulnerability in this specific TLS 1.3 option by showing a new “reflection attack” that we call “Selfie.” This attack uses the fact that TLS does not mandate explicit authentication of the server and the client, and leverages it to break the protocol’s mutual authentication property. We explain the root cause of this TLS 1.3 vulnerability, provide a fully detailed demonstration of a Selfie attack using the TLS implementation of OpenSSL, and propose mitigation. The Selfie attack is the first attack on TLS 1.3 after its official release in 2018. It is surprising because it uncovers an interesting gap in the existing TLS 1.3 models that the security proofs rely on. We explain the gap in these model assumptions and show how it affects the proofs in this case.

TLS 1.3允许两方从带外约定的预共享密钥（PSK）建立共享会话密钥。在不与他人共享的前提下，使用PSK相互认证双方。这使各方可以跳过证书验证步骤，节省带宽，通信回合和延迟。在本文中，我们通过显示一种称为“自拍照”的新“反射攻击”来识别此特定TLS 1.3选项中的漏洞。该攻击利用TLS并不要求对服务器和客户端进行显式身份验证的事实，并利用它破坏了协议的相互身份验证属性。我们将说明此TLS 1.3漏洞的根本原因，并提供有关Selfie的完整详细演示 使用OpenSSL的TLS实现进行攻击，并提出缓解措施。 自2018年正式发布以来，Selfie攻击是对TLS 1.3的首次攻击。令人惊讶的是，它发现了安全证明所依赖的现有TLS 1.3模型中的一个有趣的空白。我们将解释这些模型假设中的差距，并说明在这种情况下它将如何影响证明。