Why did TLS 1.3 remove RSA key exchange?

4 minadvancedtls-1.3rsakey-exchangesecurity

Quick Answer

RSA key exchange doesn't provide forward secrecy — a single leaked server private key can decrypt every past session that used it. It also needs an extra round trip compared to ECDHE in practice, and has been linked to real-world attacks like ROBOT, which abused subtle timing differences in RSA decryption. TLS 1.3's designers decided to only keep key-exchange methods that are both faster and safer by default, so RSA key exchange was dropped entirely.

Detailed Answer

TLS 1.3 only allows (EC)DHE-family key exchange. RSA key exchange, which was still allowed as an option in TLS 1.2, was removed entirely. There were a few converging reasons:

  • No forward secrecy — as covered in the previous question, RSA key exchange reuses the server's long-term private key to protect every session's secret. One leaked key compromises every past session ever recorded.
  • History of real attacks — RSA key exchange has repeatedly been the target of practical attacks, such as ROBOT (Return Of Bleichenbacher's Oracle Threat), which exploited subtle timing and error-response differences during RSA decryption to gradually decrypt captured traffic.
  • It's not actually faster — RSA key exchange was sometimes assumed to be cheaper than ECDHE, but modern ECDHE implementations are fast enough that this is no longer a meaningful trade-off.
  • Fewer options means a smaller attack surface — TLS 1.2 let a server operator, sometimes accidentally, keep a weak configuration enabled. TLS 1.3 simplifies its options down to a small set that is secure by default, rather than secure only if configured carefully.

The result is a protocol where you cannot even configure the insecure option, because it no longer exists.