官术网_书友最值得收藏!

How does TLS work?

TLS is an encryption protocol that works on top of TCP and sometimes UDP as well. Because it sits on top of the transport layer, it allows protocols higher in the chain to remain unchanged, such as HTTP, for example.

The protocol hides the actual data being sent across the wire. Attackers can only see what port, domain, and IP address are connected with it. They could also track how much data is being transferred.

Once the TCP connection is established, the TLS handshake is started by the client (through the browser or another user agent client application). The client starts the TLS conversation by asking a series of questions:

  • Which version of SSL/TLS is it running?
  • What cipher suites does it want to use?
  • What compression methods does it want to use?

The client chooses the highest level of the TLS protocol supported by both the client and server. The compression method is also selected.

Once the initial TLS connection is established, the client requests the server's certificate. The certificate must be trusted by the client or an authority party that the client trusts. Examples of certificate authorities are Network Solutions, GeoTrust, Let's Encrypt, and Amazon.

After the certificate is verified, an encryption key is exchanged. The key depends on the cipher that is chosen. Once the key is exchanged, the client and server are able to perform symmetric encryption.

The client tells the server that all future communications are to be encrypted:

The client and server perform a final verification in which the client's MAC address is verified by the server. The server receives an initial authentication message from the client that is decrypted and sent back to the client for verification.

Encryption keys are generated uniquely for each connection, and are based on the authentication message. Assuming the handshake completes successfully, the client and the server can now communicate securely.

Secure TLS connections between the client and server have at least one of the following properties:

  • As symmetric cryptography is used to encrypt the transmitted data, it is the reason why the connection is secure. The negotiation of a shared secret is both secure and reliable ( the negotiated secret is unavailable to eavesdroppers and no attacker can modify the communications during the negotiation without being detected).
  • Public-key cryptography is used to authenticate the identity of the communicating parties. The authentication procedure could be made optional, but typically it is required for the server.
  • To prevent the undetected loss or alteration of the data during transmission, each transmitted message includes message integrity check using a message authentication code
主站蜘蛛池模板: 江北区| 云霄县| 化德县| 明溪县| 蒙自县| 鄂托克旗| 会东县| 满城县| 永春县| 安仁县| 仙桃市| 石河子市| 通辽市| 武义县| 蒙山县| 盐源县| 蕲春县| 息烽县| 光山县| 清丰县| 平江县| 梅河口市| 富阳市| 通化市| 黑山县| 翁源县| 望江县| 娄烦县| 黑水县| 台山市| 微博| 共和县| 布拖县| 淮安市| 秦皇岛市| 左云县| 申扎县| 内黄县| 满城县| 安庆市| 佳木斯市|