All About Transport Layer Security (TLS)
Posted on December 13th, 2016
Transport Layer Security (TLS) is a method for encrypting network communications. TLS is the successor to Secure Socket Layer(SSL). TLS allows a client to verify the identity of the server and can allow the server to verify the identity of the client. TLS is based around the concepts of certificates. A certificate has multiple parts: a public key, server identity and signature from a certificate authority. The corresponding private key is never made public. Any data encrypted with the private key can only be decrypted with the public key and vice versa.
During the initial handshake, when setting up the encrypted connection, the client and server agree on a set of encryption ciphers supported by both the server and the client, and they exchange bits of random data. The client uses this random data to generate a session key. This key will be used for a faster symmetric encryption, where the same key is used for both encryption and decryption. To make sure that this key is not compromised, it is sent to the server encrypted with the server’s public key.
TLS Handshake Process
1) The client initiates a connection to the server with a ClientHello message. As part of this message, the client sends a 32-byte random number including a timestamp and a list of encryption protocols and ciphers supported by the client.
2) The server responds with a ServerHello message, containing another 32-byte random number with a timestamp, and the encryption protocol and ciphers the client should use. The server also sends the server certificates, which consists of a public key, general server identity information like the FQDN, and a signature from a trusted certificate authority (CA). This certificate can also include the public certificates for all certificate authority that have signed the certificate up to a root CA.
3) The client verifies the server certificate by checking if the supplied identity information matches, and by verifying all signature, checking if they are made by a CA trusted by the client. If the certificate verifies, the client creates a session key using the random numbers previously exchanged. The client then encrypts this session key using the public key from the server certificate, and sends it to the server using a ClientKeyExchange message.
4) The server decrypts the session key, and the client and server both start encrypting and decrypting all data sent over the connection using the session key.
Benefits of TLS
TLS works with most Web browsers, including Microsoft Internet Explorer and Netscape Navigator, and on most operating systems and Web servers, including the Microsoft Windows operating system, UNIX, etc. It is often integrated in news readers, LDAP servers, and a variety of other applications.
2) Strong authentication, message privacy, and integrity
TLS can help to secure transmitted data using encryption. TLS also authenticates servers and, optionally, authenticates clients to prove the identities of parties engaged in secure communication. It also provides data integrity through an integrity check value. In addition to protecting against data disclosure, the TLS security protocol can be used to help protect against masquerade attacks, man-in-the-middle or bucket brigade attacks, rollback attacks, and replay attacks.
3) Algorithm flexibility
TLS provides options for the authentication mechanisms, encryption algorithms, and hashing algorithms that are used during the secure session.
4) Ease of use
If you implement TLS beneath the application layer, most of its operations are completely invisible to the client. This allows the client to have no knowledge of the security of communications and still be protected from attackers.
5) Ease of deployment
Many applications use TLS transparently on a Windows Server 2003 operating system. You can use TLS for more secure browsing when you are using Internet Explorer and Internet Information Services (IIS).
Limitations of TLS
TLS also have some limitations. They are listed below:
1) Administrative overhead
A TLS environment is complex and requires maintenance; the system administrator must configure the system and manage certificates.
2) Increased processor load
The most significant limitation to implementing TLS is the increased process load. Public key operations are CPU-intensive. As a result, performance varies when you are using SSL. Unfortunately, there is no way to know how much performance you will lose. The performance varies, depending on how often connections are established and how long they last. TLS uses the greatest resources while it is setting up connections.
If you need any further assistance please contact our support department.