Tuesday, December 22, 2015

How does TLS or Transport Layer Security Protocol work ?

When two hosts communicate with each other over the unsecured network and they want to transfer sensitive data between them, especially for bank transactions or ecommerce transactions, they must use an encrypted and secured connection. SSL or Secure Socket Layer was developed by Netscape for that purpose. It enabled bank and ecommerce transaction security over the unsecure network.

Protocols in the Application Layer need to remain unchanged, yet provide communication security. And hence, SSL was implemented in Session Layer.

SSL 2.0 was first publicly released version of the protocol. But, soon security flaws were found in it. So, SSL 3.0 replaced SSL 2.0. TLS 1.0 is an upgraded version of SSL 3.0.

How does TLS work ?

Once a client starts communication with the server, TCP connection gets established following the below mentioned couple of steps.

  • The Client first communicates with the server sending a Hello message. The message includes number of options that will be used in the communication, such as version of the protocol to be used, CipherSuites supported by the client, compression methods and a 32 byte random number.
  • Server replies to the Hello message and makes choices about the options to be used, like version of protocol, CipherSuite and compression method. It also fills up the SessionID and replaces the 32 byte random number with date and timestamp.
  • The Server now sends Digital Certificates to the Client. This Digital Certificates contain the public key of the Server.
  • The Client verifies the Digital Certificate with CA or Certificate Authority.
  • After the Digital Certificate is verified, the Client starts to negotiate the symmetric key. There are a number of algorithms it can use. One example is Diffie-Hellman Key Exchange Algorithm. Please note that, at this point, secure connection is not yet established. So, symmetric key cannot be exchange between the Server and the Client directly and hence, key exchange algorithms like Diffie-Hellman Key Exchange Protocol is used. The Client also signs the message and sends the MAC or Message Athentication Code to the Server.
  • The Server processes the key exchange parameters. It also checks the MAC or Message Athentication Code to verify the integrity and authenticity of the message sent.
  • If everything goes well, a secure TLS connection is established between the Server and the Client and secure communication starts to transfer sensitive application data.


  1. Thank you for sharing such an informative article. I really hope I can see other interesting posts. Keep up the good work!

    Thank you for sharing such an informative article. I really hope I can see other interesting posts. Keep up the good work!