TLS/SSL Basics

Overview

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are cryptographic protocols designed to provide secure communication over a computer network. They are widely used in web browsing (HTTPS), email (SMTPS), file transfer (FTPS), and more.

The three main functions are:

Encryption: Prevents eavesdropping by third parties.
Authentication: Verifies the identity of the communicating party (prevents impersonation).
Integrity: Ensures that data has not been altered during transit.

Difference between TLS and SSL

While the term "SSL" is still widely used, TLS is the current technical standard.

SSL (1.0, 2.0, 3.0): Developed by Netscape. All versions are now deprecated due to security vulnerabilities.
TLS (1.0, 1.1, 1.2, 1.3): Standardized by the IETF as the successor to SSL. Currently, TLS 1.2 or higher is recommended for security reasons, with TLS 1.3 being the latest version.

info

Most of what is currently referred to as "SSL certificates" or "SSL communication" actually uses TLS.

Encryption Mechanism

TLS uses a hybrid encryption system that combines symmetric key encryption and public key encryption to achieve both security and performance.

1. Symmetric Key Encryption

Uses the same key (symmetric key) for both encryption and decryption.

Pros: Fast processing speed.
Cons: Requires a secure method to share the key (Key Distribution Problem).
Common Algorithms: AES, ChaCha20

Key Distribution Problem

In symmetric key encryption, the "symmetric key" must be sent to the communicating party. However, if the key itself is sent unencrypted, it risks being intercepted. Yet, to encrypt the key for transmission, another key is needed, creating a circular dependency. This is known as the "Key Distribution Problem".

2. Public Key Encryption

Uses a pair of keys: a public key (available to everyone) and a private key (kept secret by the owner). Data encrypted with the public key can only be decrypted with the corresponding private key.

Pros: Solves the key distribution problem.
Cons: Slower processing speed compared to symmetric encryption.
Common Algorithms: RSA, ECDSA (Elliptic Curve Cryptography)

3. Hybrid Encryption

TLS combines both methods as follows:

Use Public Key Encryption to securely exchange a "symmetric key" at the beginning of the session.
Use the exchanged "symmetric key" with Symmetric Key Encryption for the actual data transmission (for speed).

Digital Certificates

A Digital Certificate (SSL Server Certificate) is an electronic file that proves the identity of a website operator and distributes the public key needed for encrypted communication.

Role of Certificates

Proof of Existence: Proves that the site operator exists and owns the domain.
Establishing Encryption: Securely delivers the server's public key to the client (browser).

Certificate Authority (CA)

A trusted third-party organization that issues certificates. Browsers and OSs come pre-installed with certificates from major Root CAs.

Types of Certificates (Validation Levels)

Type	Validation Content	Features	Use Case
DV (Domain Validation)	Domain ownership only	Fast issuance, low cost (or free)	Personal blogs, internal systems
OV (Organization Validation)	Domain ownership + Organization existence	Organization name included in certificate	Corporate sites, Web services
EV (Extended Validation)	Strictest vetting process	Organization name may appear in address bar	Financial institutions, E-commerce

TLS Handshake

The "TLS Handshake" is the process used to negotiate the encryption method and exchange keys when starting a TLS connection.

Simplified TLS 1.2 Handshake Flow

Client Hello: Client proposes supported TLS versions and cipher suites.
Server Hello: Server selects the version and cipher suite, and sends the Server Certificate (containing the public key).
Certificate Verification: Client verifies the certificate's validity (expiration, CA signature, etc.).
Key Exchange: Client generates data for the symmetric key (Pre-Master Secret), encrypts it with the server's public key, and sends it.
Symmetric Key Generation: Server decrypts it with the private key, and both parties generate the same symmetric key.
Secure Communication: Data is encrypted with the generated symmetric key.

TLS 1.3 Improvements

TLS 1.3 simplified the handshake process, allowing the connection to start in 1 Round Trip Time (1-RTT) (TLS 1.2 required 2-RTT). This improves connection speed and enhances security by removing older, vulnerable encryption algorithms.

Summary

TLS is the foundational technology for secure internet communication.
Hybrid Encryption balances security and performance.
Digital Certificates prevent impersonation.
Web developers must ensure proper certificate management and use modern TLS versions (currently TLS 1.2+).

Overview​

Difference between TLS and SSL​

Encryption Mechanism​

1. Symmetric Key Encryption​

2. Public Key Encryption​

3. Hybrid Encryption​

Digital Certificates​

Role of Certificates​

Certificate Authority (CA)​

Types of Certificates (Validation Levels)​

TLS Handshake​

Simplified TLS 1.2 Handshake Flow​

TLS 1.3 Improvements​

Summary​