What Is a TLS Handshake & How Does It Work?

What Is a TLS Handshake & How Does It Work blog banner image

TLS (transport layer security) is the secure communication protocol used by much of the internet. Everything from the encrypted connection your web browser uses to connect to websites, to the secure connections used by your banking apps, TLS is the industry standard, and the reason you’re able to confidently transfer sensitive information online.

This guide breaks down what a TLS handshake is, how it works, and its significance in network security and ensuring your communications are private and that they are not intercepted or tampered with.

What is a TLS handshake?

TLS encryption is the standard cryptographic protocol used to secure network communications, including the data you send over the internet.

Before encrypted communication can occur, trust must be established between the two communicating parties (for example, the web server hosting a website and your web browser accessing it).

That’s what the TLS handshake does; it establishes a secure channel between the client and server by communicating which TLS versions and cipher suites are supported by both, authenticating the identity of the server using its public key and SSL certificate, and finally generating session keys that will be used to uniquely encrypt the connection.

TLS vs. SSL

TLS is the successor to SSL (Secure Sockets Layer), replacing it as the encryption protocol underpinning HTTPS (the secure HTTP protocol that delivers webpages to your browser and data to your apps). TLS is also used by other software that requires secure network communications, such as VPN solutions.

Cryptographic elements involved

TLS encryption relies on several cryptographic elements/concepts:

  • The cipher suite: The cipher suite is the algorithm used to secure a TLS encrypted connection. Each suite contains a key exchange algorithm, bulk encryption algorithm, and a MAC (message authentication code) algorithm.
  • Symmetric encryption: A single cryptographic key is used to secure the connection by both the server and client. Both parties must know what the key is, and no third party should know/be able to guess it, or the security of the connection is compromised.
  • Asymmetric encryption: Also known as public key encryption, in this encryption method the server and client use separate private and public keys to encrypt data and secure the connection. The private key is required to decrypt data encrypted by the public key.
  • Authentication: To connect securely to a server (and not an impersonator), it needs to be able to prove its identity beyond a doubt by authenticating.

TLS versions and compatibility

TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 in 2008, and the latest TLS version 1.3 was released in 2018. Each release included significant improvements to security, including additional cipher suites and protection against new attacks.

Most servers support both TLS 1.3 and TLS 1.2 for backwards compatibility with older clients.

Step-by-step process of a TLS handshake

TLS 1.3 greatly streamlines and enhances the security of the handshake process over previous versions. Here’s the process used to secure a TLS 1.3 connection in detail:

  • Client hello: The client sends a “hello” message to the server to initiate the TLS handshake and connection. This includes the TLS versions, cipher suites, key share method, and extensions it supports. It also includes the “client random” which is random data that will be used to generate the master secret. In many cases, the premaster secret parameters can also be generated when the client can guess which key share method the server will use (often the case due to the reduced number of cipher suites supported by TLS 1.3), reducing the number of round-trips required for the client and the server.
  • Master secret: The server selects a TLS version, cipher suite, and key share that is compatible with the client and generates its “server random”. Once the client and server have the client random, premaster secret, and server random, they can independently generate the same master secret.
  • Server hello and asymmetric communication: The server responds to the client hello by sending the selected TLS version, cipher suite and the server SSL/TLS certificate containing its public key and certificate authority (CA). The client can verify the server’s identity with the CA.
  • Session key generation: The client and server generate matching session keys from the master secret.
  • “Finished” messages and symmetric communication: The client and server exchange “finished” messages containing the symmetric session key and a hash of the handshake process that has taken place to ensure that it has not been interfered with. The TLS handshake is completed once the “finished” messages have been decrypted and validated by both parties.

Once the TLS handshake has been completed, the connection can be used to securely transmit data using the symmetric session keys.

Troubleshooting TLS handshake issues

The most common cause of TLS handshake issues is the time being set incorrectly on the server or client (an easy fix). Out-of -date CAs on the client are also a potential cause if your operating system hasn’t been updated in a while.

On the server side, TLS connections will fail if there are no mutually supported TLS versions or cipher suites, or if the SSL/TLS certificate has been revoked by the CA, expired, or if the hostname of the server doesn’t match the one on the certificate.

If you have network connectivity issues or are connecting to a slow server, TLS handshakes may fail if they time out due to latency.

Secure communication protocols aren’t completely safe

TLS underpins the network security of pretty much everything happening online at the moment. However, just because it can securely transmit data (after the all important TLS handshake), doesn’t mean what it securely transmits isn’t harmful.

Just because you have a secure connection to a website doesn’t mean that it can’t host a virus, so you should stick to downloading software from reputable websites (or even better, official app stores), and if you’re running a business, protect and secure your infrastructure with robust endpoint management.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.

You might also like

Ready to simplify the hardest parts of IT?
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).