Transport Layer Security (TLS)

Transport Layer Security (TLS) is an upgraded version of the Secure Sockets Layer (SSL). TLS is an encryption protocol intended to keep data secure when being transferred over a network.

Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering. Websites can use TLS to secure all communications between their servers and web browsers.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. When establishing a secured connection between the client and the server by using the TLS, the connection should have one or more of the following properties:

The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret that was negotiated at the start of the session (TLS handshake).

The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional but is generally required for at least one of the parties (typically the server).

The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.

 

What are the benefits of TLS (Transport Layer Security)?

Encryption: It uses encryption algorithms, so the connection will be secured and encrypted data will be shared between client and server.

Algorithm flexibility: At the time of handshaking negotiate about the authentication mechanisms, encryption algorithms, and hashing algorithms that are used during the secure session.

Interoperability: TLS/SSL works with most web browsers, including Microsoft Internet Explorer and on most operating systems and web servers.

Ease to implement: You can easily implement TLS/SSL in your blog or website. There is a lot of vendors who provide the SSL certificate.

Ease of Use: Because we implement TLS/SSL beneath the application layer, most of its operations are completely invisible to the client. 

Nowadays many websites are using CDN to make their website fast, secure, and responsive. StackPath CDN is easy to set up and manage, with quality reporting.

Working of TLS (Transport Layer Security):

TLS/SSL is designed to exchange sensitive data over the network using some secure algorithms and prevent from another program that wants to access the private data from the network connection.

TLS/SSL operates directly on top of the transmission control protocol (TCP). It allows higher protocol layers to remain unchanged while still providing a secure connection. So underneath the TLS/SSL layer, the other protocol layers are able to function as normal.

TLS/SSL uses asymmetric encryption algorithms to secure the transmission of data. These algorithms use the pair of keys (public and private). The public key is freely available and known for anybody. The private key is only known by the server or the client. SSL data encrypted by the public key can only decrypt by the private key and the data encrypted by the private key can only decrypt by the public key.

In the TLS/SSL communication, the client starts the connection from the first hello (SSL) message. This hello message starts the negotiation and performs the handshaking between server and client. After completing the handshaking if everything is fine then generate a secured key for the current connection. The server and client have used this secret key in data exchanging.

 

TLS/SSL handshake flow

The SSL handshake is an authentication process. In which server and client authenticate to each other using a certificate. This certificate is generated by the user’s own self with the help of OpenSSL commands or it is provided by a third party (certificate authority). Below I am describing some steps which described the handshaking between the server and client.

  • At the beginning of the communication, the SSL/TLS client sends a “client_hello” message to the server. This message contains all the cryptographic information which is supported by the client, like highest protocol version of SSL/TLS, encryption algorithm lists (in the client’s order of preference), data compression method, resume session identifier and randomly generated data (which will be used in symmetric key generation).
  • The SSL/TLS server responds with a “server_hello” message to give all the things which are required to establish a connection like protocol version used, data compression algorithms and encryption method selected, assigned session id, and random data (which will be used in symmetric key generation).
  • The server sends a certificate to the client and also inserts a request message for the client certificate because the server required the client certificate for the mutual authentication.
  • The SSL or TLS client verifies the server’s digital certificate. For more information, see How SSL and TLS provide identification, authentication, confidentiality, and integrity.
  • If the SSL or TLS server sent a “client certificate request”, the client sends a random byte string encrypted with the client’s private key, together with the client’s digital certificate, or a “no digital certificate alert”. This alert is only a warning, but with some implementations, the handshake fails if client authentication is mandatory.
  • The SSL or TLS client sends the randomly generated data that enables both the client and the server to compute the secret key to be used for encrypting subsequent message data. The randomly generated data itself is encrypted with the server’s public key.
  • The SSL or TLS server verifies the client’s certificate.
  • The SSL or TLS client sends the server a “finished” message, which is encrypted with the secret key, indicating that the client part of the handshake is complete.
  • The SSL or TLS server sends the client a “finished” message, which is encrypted with the secret key, indicating that the server part of the handshake is complete.
  • For the duration of the SSL or TLS session, the server and client can now exchange messages that are symmetrically encrypted with the shared secret key.

What is the difference between HTTP and HTTPS?

HTTP stands for HYPERTEXT TRANSFER PROTOCOL. HTTP is the protocol that is used for viewing web pages. The HTTPS stands for SECURE HYPERTEXT TRANSFER PROTOCOL. It is Http with a security feature.

What’s the difference between TLS (Transport Layer Security) and HTTPS?

Basically, HTTPS is an implementation of TLS/SSL on top of the HTTP protocol, which is used to view the webpage. HTTPS is a secure version of the HTTP protocol. Now Google is penalizing the HTTP websites. Any website that uses HTTPS is, therefore, employing SSL/TLS encryption.