What is Transport Layer Security (TLS)?
Transport Layer Security or TLS is an encryption protocol designed to secure internet communications. TLS is the upgraded version of SSL. Many use cases of TLS such as HTTPS, MQTTS, Email, and VoIP.
Picture 1. SSL/TLS on TCP/IP Stack
In this blog, we will explore how TLS works by examining the TLS handshake, the process that establishes a secure connection between two parties. We will use Wireshark, a network analysis tool, to capture and analyze the packets exchanged during the handshake.
SSL/TLS Handshake on Wireshark (TLSv1.2)
Picture 2. SSL/TLS handshake process
Picture 3. SSL/TLS handshake process on Wireshark
Step 1: Client Hello This is the first step of the handshake. The client sends a hello message that includes the random string, SSL/TLS version, and cipher suites that can be used. Random string aims to prevent replay attacks, where an attacker could record a previous session and replay it to impersonate the client or the server.
Picture 4. Client Hello message
Step 2: Server Hello is sent by the server after client Hello. The server Hello message includes SSL/TLS version and Cipher Suites that are selected by the server.
Picture 5. Server Hello message
Step 3: Certificates, Server Key Exchange, Server Hello Done are sent after Server Hello.
- Certificates are the certificate chain. A certificate chain may include Root CA, Immediate CA (optional), and server certificate. The chain of certificates is also called the chain of trust. The client (the browser for example) stores the list of root CA by themselves. The root CA is provided by the trust third parties. The server certificate is issued by the root CA so the Client (The browser) trusts the server certificate. That is how the chain of trust works.
Picture 6. Certificate chain
- Server Key Exchange At this step, the server sends a public key and signature to the client. The client and the server use this public key to encrypt or decrypt the messages.
The signature is generated by hashing the certificates and encrypted by the server’s private key. After receiving the signature, the client decrypts it and verifies the hash. If the hash is valid, the certificates are authentic.
Picture 7. Server Key Exchange
- Server Hello Done is sent to end the Server Key Exchange.
Picture 8. Server Hello Done
Step 4: Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message are sent after the Client finishes verifying the certificates.
Picture 9. Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
- Client Key Exchange means the client creates a Diffie-Hellman parameter, which is a large prime number and a generator. The client then encrypts this parameter using the server’s public key and sends it to the server.
The server decrypts the parameter using its private key and uses it to compute the session key, which is a shared secret between the client and the server.
The exchange processing is talked about in this topic.
Picture 10. Client Key Exchange
- Change Cipher Spec is sent to notify the server now the communication is encrypted by the session key.
- Encrypted Handshake Message is sent after the client agrees on the session keys and the cipher suite to use for encrypting the communication.
Step 5: New Session Ticket, Change Cipher Spec, Encrypted Handshake Message are sent by the Server to agree to the encrypting of the communication.
Picture 11. New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
- New Session Ticket is sent to notify the Client that the server agreed on the session keys and the cipher suite to use for encrypting the communication. The New Session Ticket is also used to resume the session in a future connection, without performing a full handshake again.
- Change Cipher Spec and Encrypted Handshake Message are the same on the Client side.
Now, all the application data will be encrypted.
Hope this blog is useful for you. Thanks for reading!