TLS 1.2 and Earlier Versions

This section shows most versions of TLS in deployment at the time of writing. Since TLS 1.3 involves several significant cryptographic changes, it is discussed separately.

TLS essentially consists of two cryptographic protocols:

• Handshake Protocol: This protocol performs all the tasks requiring agreement between the two entities before setting up the secure TLS channel. In particular, this protocol can be used to:

  • Agree on the cipher suite to be used to establish the secure channel.

  • Establish entity authentication.

  • Establish the keys needed to secure the channel.

• Record Protocol: This protocol implements the secure channel. This includes:

  • Formatting the data (for example, breaking it up into blocks).

  • Computing MACs on the data.

  • Encrypting the data.

Handshake protocol description

We will now describe the Handshake Protocol. We will describe a simple version of this protocol, which is only designed to provide unilateral entity authentication of the server to the client. That is the most common mode of use of the protocol, although we later indicate how mutual entity authentication can be added. Our description is simplified because we primarily want to indicate cryptography in this protocol. Note that the names we use for the protocol messages are not the same as the ‘official’ TLS message names. The message flow of the simplified Handshake Protocol is indicated in the illustration below.