How does TLS handshake work? - 10-Minute Engineering Brief | DevExCode

TLS Handshake: A Step-by-Step Guide

security, tls, handshake, encryption

When it comes to ensuring the confidentiality and integrity of online communications, Transport Layer Security (TLS) is a crucial component. At its core lies the TLS handshake, a complex process that establishes a secure connection between a client and server. In this post, we'll break down the TLS handshake into its constituent parts, exploring each step in detail.

The TLS Handshake Process

The TLS handshake involves several key steps:

Step 1: Client Hello

The client initiates the handshake by sending a ClientHello message to the server. This message includes the following information:

The supported protocols (e.g., TLS 1.2, TLS 1.3)
The supported cipher suites
The random session ID (SID)

[ASCII Diagram: Client Hello]

  +---------------+
  |  ClientHello  |
  +---------------+
  | Protocol: TLS 1.2 |
  | Cipher Suites:  |
  |  ECDHE-RSA-AES |
  |  SHA256          |
  | Session ID: 0x12345678  |
  +---------------+

Step 2: Server Hello

The server responds with a ServerHello message, which includes:

The selected protocol (from the client's preferences)
The chosen cipher suite
The random session ID (SID)

[ASCII Diagram: Server Hello]

  +---------------+
  |  ServerHello  |
  +---------------+
  | Protocol: TLS 1.2 |
  | Cipher Suite: ECDHE-RSA-AES |
  | Session ID: 0x90123456   |
  +---------------+

Step 3: Certificate

The server sends its X.509 certificate, which contains:

The server's public key
The server's identity (e.g., domain name)
The server's certification path (if applicable)

[ASCII Diagram: Certificate]

  +---------------+
  |  Certificate  |
  +---------------+
  | Public Key:   |
  |  RSA-2048      |
  | Identity: example.com  |
  | Certification Path:  |
  |  CA Root A    |
  |  CA Intermediate B|
  +---------------+

Step 4: Client Key Exchange (ECDHE/RSA)

The client generates a random key pair and sends the public key to the server. The server uses this public key to generate its own random key pair.

[ASCII Diagram: Client Key Exchange]

  +---------------+
  |  ClientKey    |
  +---------------+
  | Public Key:   |
  |  ECDHE-RSA     |
  | Server-side  |
  |  generates own  |
  |  key pair      |
  +---------------+

Step 5: Change Cipher Spec

The client and server agree on the encryption parameters, including:

The symmetric cipher (e.g., AES)
The MAC algorithm (e.g., SHA256)

[ASCII Diagram: Change Cipher Spec]

  +---------------+
  | Change Cipher |
  +---------------+
  | Symmetric Cipher: AES-256    |
  | MAC Algorithm: SHA256       |
  +---------------+

Step 6: Finished

The client and server exchange Finished messages, which contain:

The handshake hash (a cryptographic checksum)
The session ID (SID)

[ASCII Diagram: Finished]

  +---------------+
  |  Finished    |
  +---------------+
  | Handshake Hash: |
  |  SHA256        |
  | Session ID:   |
  | 0x12345678     |
  +---------------+

TL;DR

The TLS handshake is a complex process that establishes a secure connection between a client and server. It involves several key steps, including the exchange of messages to establish the protocol, cipher suite, and session ID. The client and server also exchange public keys and generate random key pairs to ensure confidentiality and integrity. Finally, they agree on the encryption parameters and exchange Finished messages to complete the handshake.