Recently, I have been asked several times about what TLS is and how it works. Unfortunately, I failed to give them
TLS is short for Transport Layer Security. It is the protocol that aims primarily to provide privacy and data integrity between two communicating computer applications. You must have seen scheme “HTTPS” and “HTTP” in the front of an URL. What does the additional “S” mean? Now, I guess you can figure it.
You may have seen “SSL/TLS” somewhere. What is the difference between SSL and TLS? Actually, this is a historic story. In 1994, SSL 1.0 was created by NetScape but has not been published. One year later, in 1995, SSL 2.0 was created. However, it was found to have serious security problems soon after it was released. Fortunately, SSL 3.0 released in 1996 gained creat success. In 1999, TLS 1.0 was released by ISOC after they replace NetScape. Till now, the version of TLS we use today is TLS 1.2, or SSL 3.3 (they refer to the same thing). Actually, you can regard SSL as the predecessor of TLS.
To solve the potential problem when data is
Let us assume that A is trying to establish a connection between A and B.
- A sends
ClientHelloto B [TLS version, random number 1, a list of suggested CipherSuites and compression methods];
- B sends
ServerHelloto A [Chosen TLS version, random number 2, CipherSuite, compression method], & B sends
Certificateto A [contains pubkey of B];
- A sends response to B [random number 3 –
premaster key– encrypted by the pubkey of B, ]
- B sends response to A [Start to transmit data encrypted by the key, hash of all content below]
- Now, A and B both have 3 random numbers. Just use these 3 numbers to generate the session key!
Here is the main point of TLS. More content will be attached if I have leisure time.