Recently, I have been asked several times about what TLS is and how it works. Unfortunately, I failed to give them a detailed answers though I have learned that before. These days, I spent some time on reviewing it, and decidede to post it on my blog, hoping it will help you recall the knowledge about TLS.
TLS is short for Transport Layer Security. It is the protocol that aims primarily to provide privacy and data integrity between two communicating computer applications. You must have seen scheme “HTTPS” and “HTTP” in the front of an URL. What does the additional “S” mean? Now, I guess you can figure it.
You may have seen “SSL/TLS” somewhere. What is the difference between SSL and TLS? Actually, this is a historic story. In 1994, SSL 1.0 was created by NetScape but has not been published. One year later, in 1995, SSL 2.0 was created. However, it was found to have serious security problems soon after it was released. Fortunately, SSL 3.0 released in 1996 gained creat success. In 1999, TLS 1.0 was released by ISOC after they replace NetScape. Till now, the version of TLS we use today is TLS 1.2, or SSL 3.3 (they refer to the same thing). Actually, you can regard SSL as the predecessor of TLS.
To solve the potential problem when data is transfered in plaintext using HTTP, a new protocol should be brought in to ensure the security of the data transmission. The prior problem is how to negotiate a key for the client and the server. I bet your teacher teaching cryptography must have told you the performace of symmetric cryptography is much better than asymmetric cryptography, and the commonly used method is to negotiate a key using asymmetric cryptography and use the key to encrypt data symmetrically. This is exactly how TLS works. In this way, how two ends negotiate a key should be the primary point of this article.
Let us assume that A is trying to establish a connection between A and B.
- A sends
ClientHelloto B [TLS version, random number 1, a list of suggested CipherSuites and compression methods];
- B sends
ServerHelloto A [Chosen TLS version, random number 2, CipherSuite, compression method], & B sends
Certificateto A [contains pubkey of B];
- A sends response to B [random number 3 –
premaster key– encrypted by the pubkey of B, ]
- B sends response to A [Start to transmit data encrypted by the key, hash of all content below]
- Now, A and B both have 3 random numbers. Just use these 3 numbers to generate the session key!
Here is the main point of TLS. More content will be attached if I have leisure time.