Transport Layer Security
aliases:
- TLS
An authentication and encryption service for the TCP/IP stack. Developed from the now obsolete SSL, but the two terms are used interchangeably.
TLS is used in many places on the OSI layer, including the application, transport, and session layers. It's also used in:
-
HTTP(s)
-
the mail server trio - POP3, SMTP and IMAP
-
LDAP
TLS is also sometimes used with UDP called Datagram TLS (DTLS), mostly for VPN solutions.
Implementation
TLS servers are configured with a digital certificate issued by a trusted Certificate Authority (CA). When clients attempt to connect to a service, a TLS handshake is performed, where the server hands over it's certificate to the client. The certificate provides an identity check for the client, ensuring that the server is really who the server says it is. The certificate actually contains the public key for the server.
If the authentication process succeeds for the client, the server and client use the keypair shared in the digital certificate during the TLS handshake to proceed, along with a chosen cryptographic cipher suite.
Even if a malicious actor were to stand in the middle of the client and server, and somehow obtain the public key, the communications cannot be decrypted because that would require the server's private key, which wasn't shared as part of the TLS handshake.
Perfect Forward Secrecy (PFS)
PFS is a forwarding mechanism that enables the communications to remain encrypted even if the server's private key were to be compromised.
- [i] We're currently in TLS v1.3. During the TLS handshake, the client and the server agree on what version of TLS to use. Most servers are only configured to accept to use either v1.3 or v1.2, since previous versions contain serious security vulnerabilities.