Tags

  • AWS (8)
  • Apigee (3)
  • ArchLinux (5)
  • Array (6)
  • Backtracking (6)
  • BinarySearch (6)
  • C++ (19)
  • CI&CD (3)
  • Calculus (2)
  • Database (1)
  • DesignPattern (43)
  • DisasterRecovery (1)
  • Docker (8)
  • DynamicProgramming (20)
  • FileSystem (11)
  • Frontend (2)
  • FunctionalProgramming (1)
  • GCP (1)
  • Gentoo (6)
  • Git (16)
  • Golang (1)
  • Graph (10)
  • GraphQL (1)
  • Hardware (1)
  • Hash (1)
  • Kafka (1)
  • LinkedList (13)
  • Linux (27)
  • Lodash (2)
  • MacOS (3)
  • Makefile (1)
  • Map (5)
  • Miscellaneous (1)
  • MySQL (21)
  • Neovim (11)
  • Network (72)
  • Nginx (6)
  • Node.js (33)
  • OpenGL (6)
  • PriorityQueue (1)
  • ProgrammingLanguage (9)
  • Python (10)
  • RealAnalysis (20)
  • Recursion (3)
  • Redis (1)
  • RegularExpression (1)
  • Ruby (19)
  • SQLite (1)
  • Sentry (3)
  • Set (4)
  • Shell (4)
  • SoftwareEngineering (12)
  • Sorting (2)
  • Stack (4)
  • String (2)
  • SystemDesign (13)
  • Terraform (2)
  • Tree (24)
  • Trie (2)
  • TwoPointers (16)
  • TypeScript (3)
  • Ubuntu (4)

    • Home

    How TLS works

    Published Jun 12, 2025 [  Network  ]

    TLS (Transport Layer Security) is a cryptographic protocol that provides secure communication over a computer network. It is widely used in HTTPS, email, messaging, and other protocols. Here’s a detailed breakdown of how TLS works, from the moment a connection is initiated to the end of the secure session.

    🔐 Goals of TLS

    TLS provides four main properties:

    1. Confidentiality – Data is encrypted to prevent eavesdropping.
    2. Integrity – Ensures data is not modified in transit.
    3. Authentication – Confirms the identity of one or both parties.
    4. Forward Secrecy (optional) – Ensures past sessions remain secure even if long-term keys are compromised.

    🧾 TLS in Action: The Handshake

    Step 1: Client Hello

    The client (e.g., browser) initiates a secure connection by sending a “ClientHello” message that includes:

    • Supported TLS versions
    • Supported cipher suites
    • A random number (used later for key generation)
    • Extensions, including the server name (SNI)

    Step 2: Server Hello

    The server responds with:

    • The chosen TLS version
    • The selected cipher suite
    • Its own random number
    • Its digital certificate (usually X.509, contains public key and identity info)
    • Optionally, key exchange parameters

    The digital certificate is signed by a Certificate Authority (CA) that the client trusts.

    Step 3: Authentication and Key Exchange

    Now the client must verify the server’s identity:

    • The client checks the certificate’s validity (expiry, domain match, CA signature)
    • If valid, the client proceeds to key exchange

    The exact method depends on the chosen key exchange algorithm:

    • In RSA-based TLS, the client generates a “pre-master secret”, encrypts it with the server’s public key (from the certificate), and sends it to the server.
    • In Diffie-Hellman or ECDHE (modern, preferred), both sides agree on a shared secret using ephemeral keys (provides forward secrecy).

    Step 4: Session Key Generation

    Both sides now derive the session key from:

    • The pre-master secret (or Diffie-Hellman result)
    • The client and server random numbers

    This key is used for symmetric encryption, because it’s much faster than public-key cryptography.

    Step 5: Finished Messages

    • Both client and server send a “Finished” message encrypted using the derived session key.
    • These messages confirm that future communications are encrypted and that the handshake succeeded.

    🔒 Secure Data Transfer

    Now that both sides share a session key:

    • All data is encrypted using a symmetric cipher (e.g., AES)
    • A MAC (Message Authentication Code) or AEAD (Authenticated Encryption with Associated Data) ensures data integrity

    📤 Closing the Connection

    When either side wants to close:

    • They send a “close_notify” alert
    • Both sides discard the session key

    🧠 Summary Diagram

    Client                         Server
  |----- ClientHello -------->|
  |                           |
  |<------ ServerHello -------|
  |<----- Certificate --------|
  |                           |
  |--- (Key Exchange) ------->|
  |                           |
  |--- Finished (encrypted)-->|
  |<-- Finished (encrypted) --|
  |                           |
  |<==== Secure Data ========>|
  |                           |
  |------ close_notify ------>|

    ✅ TLS Versions

    • TLS 1.0 / 1.1: Obsolete, insecure
    • TLS 1.2: Widely used, secure with modern settings
    • TLS 1.3: Simplified, faster, more secure (no RSA key exchange, removes obsolete features)

    📘 Real World Example (HTTPS)

    1. You type https://example.com
    2. Your browser starts a TLS handshake
    3. Verifies the server’s certificate
    4. Negotiates a secure connection
    5. Then HTTP data is transmitted securely on top of TLS