On post-handshake authentication and external PSKs in TLS 1.3

The TLS protocol is the main cryptographic protocol of the Internet. The work on its current version, TLS 1.3, was completed in 2018. This version differs significantly from the previous ones and has a clean-state design taking into account all modern principles of constructing secure cryptographic protocols. At the same time, even when there are security proofs in some fairly strong security model, it is important to explore the possibility of extending this model and then clarifying the security limits of the protocol. This work considers the restriction on the usage of post-handshake authentication in connections established with external PSK. We show that some vulnerability appears in the case of psk_ke mode (PSK-only key establishment) if more than one pair of entities can possess the same PSK. We provide several practical scenarios where this condition can be easily achieved. Also we propose appropriate mitigation to prevent this vulnerability.