This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. (September 2015) (Learn how and when to remove this template message)
Transport Layer Security pre-shared key ciphersuites (TLS-PSK) is a set of cryptographic protocols that provide secure communication based on pre-shared keys (PSKs). These pre-shared keys are symmetric keys shared in advance among the communicating parties.
There are several cipher suites: The first set of ciphersuites use only symmetric key operations for authentication. The second set use a Diffie-Hellman key exchange authenticated with a pre-shared key. The third set combine public key authentication of the server with pre-shared key authentication of the client.
Usually, Transport Layer Security (TLS) uses public key certificates or Kerberos for authentication. TLS-PSK uses symmetric keys, shared in advance among the communicating parties, to establish a TLS connection. There are several reasons to use PSKs:
- Using pre-shared keys can, depending on the ciphersuite, avoid the need for public key operations. This is useful if TLS is used in performance-constrained environments with limited CPU power.
- Pre-shared keys may be more convenient from a key management point of view. For instance, in closed environments where the connections are mostly configured manually in advance, it may be easier to configure a PSK than to use certificates. Another case is when the parties already have a mechanism for setting up a shared secret key, and that mechanism could be used to “bootstrap” a key for authenticating a TLS connection.
- RFC 4279: "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)".
- RFC 4785: "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)".
- RFC 5487: "Pre-Shared Key Cipher Suites for TLS with SHA-256/384 and AES Galois Counter Mode".
- RFC 5489: "ECDHE_PSK Cipher Suites for Transport Layer Security (TLS)".
- Transport layer security Secure Remote Password (TLS-SRP)
- AES Galois Counter Mode (GCM)
- Elliptic curve Diffie–Hellman (ECDHE)
- Null encryption