How TLS security works

Start of changeTLS is based on the SSL protocol. TLS uses the initial handshake protocol for establishing client/server authentication and encryption. For detailed information on TLS, see the description of The TLS Protocol Version 1.0. End of change

The TLS protocol uses public-key and symmetric-key cryptographic technology. Public-key cryptography uses a pair of keys: a public key and a private key. Information encrypted with one key can be decrypted only with the other key. For example, information encrypted with the public key can be decrypted only with the private key. Each server's public key is published, and the private key is kept secret. To send a secure message to the server, the client encrypts the message by using the server's public key. When the server receives the message, it decrypts the message with its private key.

Symmetric-key cryptography uses the same key to encrypt and decrypt messages. The client randomly generates a symmetric key to be used for encrypting all session data. The key is then encrypted with the server's public key and sent to the server.

TLS provides three basic security services:

Message privacy
Achieved through a combination of public-key and symmetric-key encryption. All traffic between a client and a server is encrypted using a key and an encryption algorithm negotiated during session setup.
Message integrity
Ensures that session traffic does not change en route to its final destination. TLS uses a combination of public/private keys and hash functions to ensure message integrity.
Mutual authentication
Exchange of identification through public-key certificates. The client and server identities are encoded in public-key certificates, which contain the following components:
  • Subject's distinguished name
  • Issuer's distinguished name
  • Subject's public key
  • Issuer's signature
  • Validity period
  • Serial number
Table 1. Tip
top Graphic Image
You can also use secure HTTP (HTTPS) to ensure that a client's security information is not compromised as it is downloaded from a server.