SSL 3.0/TLS Handshake

When a client connects to an SSL or TLS server, the SSL/TLS Handshake begins. The Handshake establishes the protocols that will be used during the communication, selects the cryptographic algorithms, authenticates the parties, and uses public key cryptography to create a master secret , from which encryption and authentication keys are derived.

The master secret for the session is created by the server using a premaster secret sent from the client.

The master secret is used to generate four more secrets (keys):

  • An encryption key used for sending data from the client to the server.

  • An encryption key used for sending data from the server to the client.

  • An authentication key used for sending data from the client to the server.

  • An authentication key used for sending data from the server to the client.

Sequence of Events

The Handshake is performed by a complex exchange between the client and the server. Optional items are indicated in brackets:

  1. The client opens a connection and sends the ClientHello.

  2. The server sends a ServerHello.

  3. [The server sends its certificate.]

  4. [The server sends a ServerKeyExchange.]

  5. [The server sends a CertificateRequest.]

  6. The server sends a ServerHelloDone (TLS only).

  7. [The client sends its certificate.]

  8. The client sends a ClientKeyExchange.

  9. [The client sends a CertificateVerify.]

  10. The client and server both send ChangeCipherSpec messages.

  11. The client and server both send finished messages.

  12. Application data flows.

With the exception of the secrets that are encrypted ...

Get Web Security, Privacy & Commerce, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial