TLS
Transport Layer Security (TLS) is a cryptography protocol created to protect network communications. It is widely used to protect against data breaches and DDos attacks by web applications such as email, instant messaging, Internet browsers, and voice over IP (VoIP) services. TLS is a foundational component of HTTPS, the universal secure protocol of the web.
TLS replaced the Secure Sockets Layer (SSL) protocol, the original encryption protocol developed for HTTP code. TLS provides enhanced security over SSL via encryption authentication processes. However, the SSL protocol has been in use since 1994, and the acronym is still commonly used to refer to TLS.
TLS-protected HTTPS has become an industry standard. Today's browsers prefer HTTPS sites over HTTP and will typically warn users when they land on unencrypted HTTP pages. In fact, HTTP pages will not even load on certain browsers.
End users are now also more aware of the HTTPS padlock icon and expect it to appear before URLs - especially on pages that manage financial transactions or similarly sensitive information.
How TLS Works: The Handshake
The so-called TLS handshake refers to the initial communication between a client and server. Both sides exchange hello messages to acknowledge and verify one another. Once both sides are satisfied with the verification exchange, they communicate back and forth to establish encryption algorithms and session keys.
TLS handshakes occur when a user pulls up a website over an HTTPS connection and the browser queries the website's origin server. TLS handshakes also happen during other HTTPS communications, including API calls and DNS over HTTPS queries.
The overall goals of a TLS handshake include:
- Determining which TLS version to use
- Choosing cipher suites (encryption algorithms)
- Authenticating the server identity through the server's public key and SSL signature
- Generating session keys for symmetric encryption
SSL handshakes work in the same manner but can't achieve the same level of encryption security.
How Does TLS Secure Data?
The TLS handshake consists of a series of specific actions between client and server. Most commonly, the client and server agree to use the RSA key exchange algorithm, which follows these steps:
- The client sends a hello message with information about which TLS version and cipher suites it supports and a string of random bytes, e.g. the "client random."
- The server sends a hello message containing its SSL certificate, cipher suite preference, and the "server random."
- Authentication occurs when the client verifies the server's SSL certificate against the issuing certificate authority.
- The client sends the “premaster secret," a random string of bytes encrypted with a public key, obtained from the SSL certificate, that can only be decrypted on the server side.
- The server decrypts the premaster secret.
- Both sides create session keys from the three sets of random bytes (the client random, server random, and premaster secret).
- The client sends a "finished" message encrypted with a session key.
- The server sends a "finished" message encrypted with a session key.
- The handshake is complete now that secure symmetric encryption has been reached.
- Communication continues using the session keys.
There are other versions of the TSL handshake. For instance, a Diffie-Hellman handshake or “keyless handshake" occurs when a private key isn't used to generate session keys. The Diffie-Hellman handshake uses a different authentication procedure from the RSA handshake, but the overall goal is the same: authentication and establishing secure communications.
How Secure is TLS?
TLS has been upgraded several times since its inception. It is essential to stay updated to the latest version to ensure the best data security and to continue utilizing services that require it. PCI (payment card industry) compliance is of particular importance.
Sites that are not TLS-compliant to the current TLS version may be unable to accept credit card payments. PayPal, Authorize.net, Stripe, UPS, FedEx, and other services have similarly stringent standards. As such, it's best for companies and web developers to upgrade to the latest TSL version sooner rather than later.
Crucially, customer data is at risk when TLS is not upgraded. The Internet Engineering Task Force (IETF) issues new versions of TLS to enhance functionality, decrease latency, and address newfound security vulnerabilities. Although tedious, keeping up with the latest TLS standard is necessary for optimal data security. ArcESB, a secure file transfer platform, incorporates the latest TLS version and is continuously kept up to date with current encryption methods.