TLS/SSL Handshake

[!NOTE] This module explores the core principles of TLS/SSL Handshake, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.

1. What is TLS?

Transport Layer Security (TLS), and its predecessor SSL (Secure Sockets Layer), are cryptographic protocols designed to provide communications security over a computer network.

TLS provides three main things:

1. Encryption: Hides data from eavesdroppers.
2. Authentication: Ensures the parties are who they claim to be.
3. Integrity: Verifies that data has not been forged or tampered with.

2. Public vs. Private Keys

• Public Key: Can be shared with anyone. Used to Encrypt data.
• Private Key: Must be kept secret. Used to Decrypt data. This is called Asymmetric Encryption. It is slow, so we only use it to share a smaller Symmetric Key for the actual data session.

3. The TLS 1.2 Handshake

1. Client Hello: Client sends supported cipher suites and a random number.
2. Server Hello + Certificate: Server chooses a cipher, sends its random number, and its SSL Certificate (containing its Public Key).
3. Validation: Client checks with a Certificate Authority (CA) to see if the certificate is valid.
4. Key Exchange: Client generates a “Pre-master secret,” encrypts it with the Server’s Public Key, and sends it.
5. Finish: Both sides compute a Session Key from the secrets. All future traffic is encrypted with this Symmetric Key.

---

4. Interactive: The Certificate Chain

Verify the site’s identity.

Root CA (Trusted)

↓

Intermediate CA

↓

google.com

Invalid Certificate

Browser Warning: Unsecure Connection!

---

5. TLS 1.3: Simpler and Faster

Modern TLS 1.3 reduces the handshake to just one round trip (1-RTT) and removes insecure old encryption methods (like SHA-1 and MD5).