Transport Layer Security (TLS)

Let's look into the Transport Layer Security (TLS) protocol.

We'll cover the following

The Transport Layer Security (TLS) protocol is a cryptographic protocol designed to provide secure communication over an insecure network.

It can provide confidentiality, authentication, and integrity.

It typically runs above a reliable transport layer protocol, such as TCP.

Note: However, equivalent protocols for unreliable transport layer protocols, such as DTLS, can work on top of UDP.

The sides participating in the communication are typically the client and the server, where the client is responsible for initiating the TLS connection.

Parts of TLS protocol

The TLS protocol has two main parts.

In the handshake part, the two sides negotiate the parameters to establish a connection.

In the data exchange part, the two sides can exchange data securely.

Modes of operation in TLS

TLS has different modes of operation depending on whether authentication needs to be performed and whether one or both sides need to be authenticated.

Note: When both sides are authenticated, this is commonly known as mutual TLS.

As a result, the workflow of the protocol will differ slightly. Here we will study the most common case, where only the server is authenticated. The following illustration shows the workflow in this case.

  • The client sends a ClientHello message to initiate a TLS connection. This message contains a list of cipher suites supported by the client along with a client random number (nonce).

  • The server responds with a ServerHello message that contains a random server number (nonce) and the selected cipher suite. This cipher suite will contain a symmetric encryption algorithm (e.g., AES), a key exchange algorithm (e.g., RSA), and a MAC algorithm (e.g., HMAC).

  • The server will also send a ServerKeyExchange (this message is sent only for specific cipher suites), a Certificate message that contains the server’s public key in a certificate, and a ServerHelloDone message that indicates it is done with handshake negotiation.

  • The client will then verify the server’s certificate, extract its public key, generate a preliminary key, encrypt it with the server’s public key, and send it across through a ClientKeyExchange message.

  • At this point, the client and the server use the random numbers (nonces) that were exchanged previously along with the preliminary key to compute a common secret through a key derivation function. This is subsequently used to generate all other key data (e.g., encryption keys, initialization vectors, etc.).

  • The client will then send a ChangeCipherSpec message that indicates everything will be encrypted from now on. This message is followed by an encrypted Finished message containing a hash and a MAC over all the previously exchanged handshake messages. The server will do the same thing in the other direction. This exchange of messages ensures no man-in-the-middle could tamper with previous messages to degrade security, e.g. by modifying the list of supported cipher suites.

  • At this point, the handshake is complete and the two sides will exchange Application messages that will be authenticated and encrypted.

Uses of TLS protocol

One of the most common uses of TLS is in the HTTPS protocol, which is an extension of the HTTP protocol where data is exchanged securely between the server and the client over TLS. It can be used to encrypt communications for any application, email, file transfer, and voice over IP.

Get hands-on with 1400+ tech skills courses.