Transport Layer Security (TLS), created by the IETF as the successor to Netscape’s SSL, establishes an encrypted and authenticated channel between client and server — ensuring no third party can eavesdrop or tamper with communication.
TLS Architecture
- TLS Record Protocol: Provides connection security via symmetric encryption (e.g., DES). Can also be used without encryption.
- TLS Handshake Protocol: Enables mutual authentication and negotiation of cipher suite and session keys before data is exchanged.
Handshake Message Flow
| Message | Purpose |
|---|---|
| ClientHello | Proposes cipher suites and TLS version |
| ServerHello | Selects cipher suite, sends server certificate |
| KeyExchange | Establishes shared keying material |
| ChangeCipherSpec | Both sides activate negotiated encryption |
| Alert | Signals errors or session termination |
TLS vs SSL
SSL immediately begins with a secured channel. TLS starts with an insecure “hello” and only switches to encrypted communication after a successful handshake. If the handshake fails, no connection is created. TLS also allows secure and insecure connections on the same port, while SSL requires a dedicated secure-only port.
TLS Design Goals (Priority Order)
- Cryptographic Security — establish a genuinely secure connection
- Interoperability — independent implementations can exchange parameters without shared code
- Extensibility — new encryption methods can be incorporated as needed
- Relative Efficiency — session caching reduces the cost of repeated full handshakes
CISSP Made Easy 