Transport Layer Security

The client initiates the connection by sending the message ClientHellomessage, which contains:

• the supported version of the TLS protocol

• list of supported cipher suites

• random byte string (client random)

• optional extensions such as SNI (Server Name Indication)

The purpose of this message is to start negotiating security parameters with the server.

([Microsoft Learn][1])

The server responds with the message ServerHellomessage which contains:([Wikipedia][2])

• the selected TLS protocol version

• the selected cipher suite

• random sequence of bytes (server random)

• optional extensions

This message confirms the selection of common security parameters for the session.

The server sends its X.509 certificate containing the public key. The client uses this certificate to:([catchpoint.com][3])

• verify the identity of the server

• obtain the public key for encrypting the premaster secret([ManageEngine][4])

Depending on the selected cipher suite, the server can send a message ServerKeyExchangemessage that contains:([Wikipedia][2])

• additional key exchange parameters (e.g. for DHE or ECDHE)([Wikipedia][2]).

• the digital signature of these parameters

The client verifies the signature to ensure that the parameters come from an authorised server.

([Taro][5])

The server sends a message ServerHelloDonemessage, signalling the end of its part of the negotiation. The client can now continue with the handshake process.

The client generates a premaster secret and sends it to the server in a message ClientKeyExchange. Depending on the key exchange method:([ManageEngine][4])

• for RSA: the premaster secret is encrypted with the server's public key([Cloudflare][6])

• for DHE/ECDHE: the client sends its key exchange parameters([Taro][5])

Both parties use the premaster secret and random values to compute the shared master secret.([Wikipedia][2])

([Fortinet Docs][7])

The client sends a message ChangeCipherSpec, informing the server that from this point onwards all messages will be encrypted using the agreed parameters.([takethenotes.com][8])

([Fortinet Docs][7])

The client sends a message Finishedmessage, which is the first encrypted message in the session. It contains a digest of all previous handshake messages, allowing the server to verify the integrity and authenticity of the negotiation.

After receiving and verifying the message Finishedmessage, the server also sends its ChangeCipherSpec i Finishedmessage, completing the handshake process.

From this point onwards, the communication between client and server is encrypted and secure.

sources:

1. https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-handshake-protocol?utm_source=chatgpt.com „TLS Handshake Protocol - Win32 apps | Microsoft Learn”
2. https://en.wikipedia.org/wiki/Transport_Layer_Security?utm_source=chatgpt.com „Transport Layer Security - Wikipedia”
3. https://www.catchpoint.com/blog/wireshark-tls-handshake?utm_source=chatgpt.com „Dissecting TLS Using Wireshark”
4. https://www.manageengine.com/key-manager/information-center/what-is-ssl-tls-handshake.html?utm_source=chatgpt.com „What is SSL/TLS handshake? | TLS/SSL handshake protocol - ManageEngine Key Manager Plus”
5. https://www.jointaro.com/interview-insights/google/describe-ssl-key-exchange-in-tls/?utm_source=chatgpt.com „Describe SSL key exchange in TLS Interview Question for Google”.
6. https://www.cloudflare.com/pl-pl/learning/ssl/what-happens-in-a-tls-handshake/?utm_source=chatgpt.com „What happens in a TLS handshake? | SSL handshake | Cloudflare”
7. https://docs.fortinet.com/document/fortimail/7.2.2/administration-guide/887607/how-tls-ssl-works?utm_source=chatgpt.com „How TLS/SSL works | FortiMail 7.2.2 | Fortinet Document Library”
8. https://takethenotes.com/ssl-tls/?utm_source=chatgpt.com „SSL/TLS - Unlocking The Secrets Of Secure Communication | Take The Notes”
9. https://www.rfc-editor.org/rfc/rfc5246?utm_source=chatgpt.com „RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2”
10. https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/?utm_source=chatgpt.com „What happens in a TLS handshake? | SSL handshake | Cloudflare”