TLS 1.3 removes the use of non-ephemeral Diffie-Hellman, which is great! But it still allows PSK.
I'm not as familiar with PSK configuration but wouldn't that mean TLS 1.3 still is allowing the use of some form of non-ephemeral?
Or is there a specific purpose PSK has that I'm not thinking about?
is there a specific purpose PSK has that I'm not thinking about?
Session Resumption.
This allows a Client and Server to re-use Session Keys from a previous session in a new session. This spares the Client / Server from re-doing Asymmetric math and re-sending Certificates (although, see below regarding Asymmetric math).
In this use-case, the PSK is a session key derived from the older, previous session. This replaces the Session ID / Session Tickets based Session resumption that existed in TLS 1.2 and prior.
They called it PSK so as to also innately supports deriving keys from other mechanisms. This will be rare, but it would allow something like IKEv1 derived key and TLS protected data. Or something.
I'm not as familiar with PSK configuration but wouldn't that mean TLS 1.3 still is allowing the use of some form of non-ephemeral?
Yes.
But, TLS 1.3 also allows the use of resuming an old key and still performing an additional Diffie-Hellman key exchange to "mix in" with the old key. This maintains forward secrecy such that a compromise of the old session keys does not compromise the new (resumed) session.
This does involve using Asymmetric math in the new Session. But maintains forward secrecy between the two sessions.
One purpose is to support session resumption. To quote RFC 8446,
Although TLS PSKs can be established out of band, PSKs can also be established in a previous connection and then used to establish a new connection ("session resumption" or "resuming" with a PSK).... In TLS 1.2 and below, this functionality was provided by "session IDs" and "session tickets" [RFC5077]. Both mechanisms are obsoleted in TLS 1.3.
TLS 1.3 supports three basic key exchange modes:
Authentication with external PSK is useful in some applications where there is no infrastructure to distribute, store and verify security certificates. External PSK in typically used in wireless systems and IoT applications. PSK is a useful part of TLS 1.3. The "PSK only" option does not provide Forward Security (FS). The "PSK with ECDHE" option provides PSK authentication together with ephemeral DH key agreement, and thereby benefits from FS.
