What is a TLS protocol?
A TLS certificate ensures secure communication between two hosts on the basis of a transport-protected connection. TLS certificates are part of the transport layer. In the TCP/IP reference model, the transport layer is the fourth layer of a total of 7 layers, as it is in the OSI model .
What does TLS stand for?
TLS stands for Transport Layer Security and is a protected transport protocol for data exchange in networks such as the internet. The TLS protocol version 1.3 was published in August 2018 as RFC 8446 by the Internet Engineering Task Force(IETF) was published.
What are TLS protocols used for?
TLS protocols are used for IT security and data protection: A TLS protocol ensures two essential properties for the protected processing of data during transport:
- Confidentiality of the transport connection
- Integrity of the transport connection
The confidentiality and integrity of a connection are fundamental protection goals of information security. TLS protocols are closely linked to SSL certificates as trust anchors and are therefore an important feature for users in connection with the trustworthiness of a website.
What does confidentiality & integrity mean for the transportation of data?
Confidentiality ensures that the content of the data transmission is only visible to the communicating hosts, while integrity protects the content from unauthorized modification. In addition, TLS always requires the server to authenticate itself to the client during a connection, so that the client can verify the identity of the server beyond doubt. TLS certificates are essential for websites and also for APIs and exposed microservices.
How does a protected TLS connection work?
A protected TLS connection consists of two components:
1) A handshake protocol that carries out preparatory steps to establish secure data transmission
and
2) The Record Protocol, which is responsible for the actual encryption of the data transmission.
Handshake protocol
Before a secure connection for communication can take place between two hosts, both participants must exchange key information in a secure way.
Since no encryption keys exist at the beginning and the exchange process is therefore transparent to all network participants, the challenge lies in establishing a secure secret between the hosts in their role as communication participants.
The key information becomes:
- exchanged on the basis of a protocol – such as the Diffie-Hellman protocol
The key information consists of two components: 1) Secret Value 2) Secret Key
The secret key is used for symmetric or asymmetric encryption and decryption of communication between the hosts.
For this calculation of a common secret value from the key information, either the most commonly used Diffie-Hellman method (Finite Field DH) or a method using elliptic curves (Elliptic Curve DH) can be used.
The protocol is abbreviated to (EC)DHE regardless of the procedure selected.
In addition to the pure use of (EC)DHE, TLS 1.3 supports the exchange of key information via pre-shared keys (PSK) and a combination of PSK and (EC)DHE.
Pre-shared keys establish the transport connection
However, both methods require a previously established connection in which both hosts share a pre-shared key for a connection used later. The advantage of using a PSK is that the client can already send application data encrypted with the PSK with the first packet. This results in a 0-RTT handshake, which reduces the latency at the start of the connection to a minimum.
The secret key is used to encrypt and decrypt communication between the hosts.
Asymmetric and symmetric methods for cryptographic encryption
Such an authentic key exchange can be carried out using asymmetric methods such as RSA or Diffie-Hellman.
Symmetric methods such as AES or H-MAC, on the other hand, are more recommendable because these cryptographic methods correspond to a significantly higher protection class, but they also require correspondingly higher computing effort during decryption.
According to Kerkhoff‘s rule for cryptography, the encryption mechanisms used should be communicated openly, which of course includes the TLS certificate used.
Packet information in TLS data exchange
To initiate a connection to the server, the client sends a packet with the following content:
- Randomly generated nonce (random)
- List of supported symmetric ciphers and hash algorithms (cipher_suites)
- Legacy data fields so that the TLS 1.3 handshake appears like a TLS 1.2 handshake (legacy_version, legacy_session_id, legacy_compression_methods)
- Individually defined TLS extensions
Record Protocol
The handshake process must be successfully completed before the record protocol can start the actual data transfer in the further course of communication. This means that the server is authenticated to the client using the handshake protocol and the traffic keys are available on both hosts. Now the actual data transfer between client and server can begin.
What is the record protocol used for?
Data to be transmitted can be received from any side and is divided into so-called records .
Each record is encrypted and sent to the addressed communication participant.
When a host receives TLS data, it is verified, decrypted, reassembled and transferred to the application layer above.
Rock the Prototype Podcast
The Rock the Prototype Podcast and the Rock the Prototype YouTube channel are the perfect place to go if you want to delve deeper into the world of web development, prototyping and technology.
🎧 Listen on Spotify: 👉 Spotify Podcast: https://bit.ly/41pm8rL
🍎 Enjoy on Apple Podcasts: 👉 https://bit.ly/4aiQf8t
In the podcast, you can expect exciting discussions and valuable insights into current trends, tools and best practices – ideal for staying on the ball and gaining fresh perspectives for your own projects. On the YouTube channel, you’ll find practical tutorials and step-by-step instructions that clearly explain technical concepts and help you get straight into implementation.
Rock the Prototype YouTube Channel
🚀 Rock the Prototype is 👉 Your format for exciting topics such as software development, prototyping, software architecture, cloud, DevOps & much more.
📺 👋 Rock the Prototype YouTube Channel 👈 👀
✅ Software development & prototyping
✅ Learning to program
✅ Understanding software architecture
✅ Agile teamwork
✅ Test prototypes together
THINK PROTOTYPING – PROTOTYPE DESIGN – PROGRAM & GET STARTED – JOIN IN NOW!
Why is it worth checking back regularly?
Both formats complement each other perfectly: in the podcast, you can learn new things in a relaxed way and get inspiring food for thought, while on YouTube you can see what you have learned directly in action and receive valuable tips for practical application.
Whether you’re just starting out in software development or are passionate about prototyping, UX design or IT security. We offer you new technology trends that are really relevant – and with the Rock the Prototype format, you’ll always find relevant content to expand your knowledge and take your skills to the next level!
