SSL was originally developed to add security to HTTP. Over time, SSL was replaced with a more efficient and more secure protocol, called TLS. TLS handshakes are the basis of how HTTP creates a secure communication session. A TLS handshake occurs between the two participating entities—the client and the server. This process is shown in the following diagram:
A TLS handshake establishes a secure connection between the participating nodes. The following are the steps that are involved in this process:
- The client sends a client hello message to the server. The message also contains the following:
- The version of TLS that is used
- The list of cipher suites supported by the client
- A compression algorithm
- A random byte string, identified by byte_client
- The server sends a server hello message back to the client. The message also contains the following:
- A cipher suite selected by the server from the list provided by the client
- A session ID
- A random byte string, identified by byte_server
- A server digital certificate, identified by cert_server, containing the public key of the server
- If the server requires a digital certificate for client authentication or a client certificate request, the client server request also includes the following:
- The distinguished names of the acceptable CAs
- The types of certificates supported
- The client verifies cert_server.
- The client generates a random byte string, identified by byte_client2, and encrypts it with the public key of the server provided through cert_server.
- The client generates a random byte string and identifies encrypts with its own private key.
- The server verifies the client certificate.
- The client sends a finished message to the server, which is encrypted with a secret key.
- To acknowledge this from the server side, the server sends a finished message to the client, which is encrypted with a secret key.
- The server and client have now established a secure channel. They can now exchange messages that are symmetrically encrypted with the shared secret key. The entire methodology is shown as follows:
Now, let's discuss how we can use asymmetric encryption to create Public Key Infrastructure (PKI), which is created to meet one or more security goals for an organization.