Learn in this article:
- What exactly happens during the TLS handshake?
- What encryption algorithm does TLS use to protect data?
- How do clients and servers exchange keys?
- How does Diffie-Hellman Ephemeral key exchange work?
- Why do we need a digital certificate?
- Why does it need to be signed by a certificate authority?
- What is a digital signature? How is it signed and verified?
- What does perfect forward secrecy mean?
- How do AEAD, MAC, HKDF, 0-RTT work?
- What is elliptic curve cryptography?
- Compared with TLS 1.2, what is new in TLS 1.3?
SSL is the abbreviation of Secure Socket and the predecessor of TLS.
TLS, short for Transport Layer Security, is an encryption protocol that provides secure communication for computer networks.
Of course, in addition to the transport layer security protocol, there are also two-layer tunneling technology PPTP\L2TP, three-layer security protocol IPSec, application layer security protocol S-HTTP, email software encryption package PGP, secure electronic Transaction SET etc.
SSL2.0 was deprecated in 2011.
SSL3.0 was deprecated in 2015.
Recently, in March 2020, TLS1.0 and TLS1.1 have also been deprecated, so now there are only TLS 1.2 and TLS1.3.
Initially, TLS was widely used on the web Serve. All web services that use HTTPS use TLS.
Similarly, email using the SMTPS protocol is actually SMPT and TLS.
FTPS is also FTP + TLS. And so on.
Because TLS can help us:
- Authentication
○ TLS verifies the identity of the communicating parties, usually the client and the server.
○ With the help of symmetric encryption technology, TLS ensures that we will enter the real website and not a fake one.
- Confidentiality
○ TLS uses symmetric keys to encrypt data for transmission.
- Integrity
TLS identifies any changes during transmission by checking the message verification code.
TLS consists of two phases/protocols,
- Handshake protocol
○ Negotiate protocol version
○ Select encryption algorithm (password Suite)
○ Authenticate each other through asymmetric encryption technology
○ Establish a shared password for the next stage of symmetric encryption
- Record protocol
○ All outgoing messages are encrypted using the shared secret key established during the handshake phase.
○ Encrypted message is transmitted to the other end.
○ The recipient of the data will verify whether there has been any tampering during the transmission.
○ If not, the message will be decrypted using the same symmetric key.
Therefore, message confidentiality and integrity can be achieved through TLS.
Why not just use one?
Because symmetric encryption technology cannot provide authentication.
Because both the client and the server have only one secret key, they know nothing about the other party and cannot verify it. Not to mention how they got the same secret key without leaking it to the public.
What if only asymmetric technology is used?
Because asymmetric encryption is much slower than symmetric encryption. Symmetric encryption is 100 times or even 1,000 times faster than asymmetric encryption. Therefore, asymmetric encryption technology is not suitable for bulk encryption.