4 minutes
Summarized: How is TLS working?
Overview of TLS
SSL stands for Secure Socket Layer and TLS for Transport Layer Security. The overall goal of TLS is to protect the privacy and integrity of communications between two endpoints. This is typically a communication between a client and a server. This goal is achieved by encrypting data exchanged between the two endpoints. This is accomplished using a combination of asymmetric and symmetric cryptography. For some reason, people are still calling it SSL Certificate or SSL Encryption but SSL is deprecated long time ago and not in use, and you can find a very detailed history of SSL/TLS here, and many browsers disabled support for TLS 1.0 and 1.1 last year hence allowing only TLS 1.2 & TLS 1.3
Chipers Suite (Summarized)
A cipher suite is a set of encryption algorithms for use in establishing a secure communications connection. (An encryption algorithm is a set of mathematical operations performed on data for making data appear random, in other words, to mask the data) There are several cipher suites in wide use, and an essential part of the TLS handshake is agreeing upon which cipher suite will be used for that handshake. What Makes Up a Cipher Suite?
- Key Exchange Algorithm
- Authentication Algorithm
- Bulk Data Encryption
- Message Authentication Code (MAC) Algorithm
Example of a cipher suite name: ECDHE_RSA_AES-GCM_128_SHA256
This particular cipher suite uses ECDHE for its key exchange algorithm, RSA as its authentication algorithm, AES-GCM256 for its bulk data encryption algorithm and SHA256 for its Message Authentication Code (MAC) algorithm.
If you want to read more about Ciphers here is the link on stackexchange
TLS Negotiation Process
TLS consist of two parts
-
TLS handshake layer (Uses Asymmetric Encryption) Here TLS Manages which cipher (the type of encryption algorithm) will be used, the authentication (using a certificate specific to your domain name and organization), and the key exchange (based on the public-private key pair from the certificate) important thing to know is that handshake process is performed only once to establish a secure network connection for both ends and per one connection session.
-
TLS record layer (Uses Symmetric Encryption) It gets data from the user application, encrypts it, fragments it to an appropriate size (as determinate by the cipher), and send it to the network transport layer, TLS establishes an encrypted bidirectional network tunnel for arbitrary data to travel between two endpoints (Client and Server)
TLS Handshake Process
- Client queries the server indicating the desire to establish an encrypted session. The client includes the cipher suites and SSL/TLS versions that it’s willing to use.
- Server responds with something “Cool, I can use this TLS version and cipher suite! Here’s my certificate including my public key.”
- Client verifies the validity of the certificate, extracts the public key and, uses that public key to create a new pre-master key that it sends to the server.
- The server uses its private key to decrypt the pre-master key
- The server and client now use the pre-master key to compute a shared secret key called the “shared secret.” If PFS is in play (and is should be), the session key (shared secret) is generated using Diffie-Hellman key exchange which creates a unique key for each secure session.
- The shared secret is used to encrypt and decrypt data used during that session.
- The data encryption/decryption that occurs is making use of symmetric encryption as both ends know and trust the key that is being used. The key is available only to the two validated endpoints and only for the duration of the conversation.
- Keep in mind that this process is the basic process for TLS 1.2, for TLS 1.3 it’s much less but it’s way different also.
After agreeing on a session key (A.K.A Master Session Key), all communication between endpoints occurs via the use of that negotiated key for encrypting and > > decrypting traffic between client and server. This is so-called Record Layer.
Here is also another great example explaining whole process but in more depth Link
Credit for image
Link