TLS 1.2 and TLS 1.3 Handshake Walkthrough

The ultimate goal of the TLS handshake is safely exchanging the master secret for future secure communication.

TLS 1.2 Handshake

It takes 4 steps to complete the handshake before sending the first encrypted request from a browser:

  1. Server Hello
  2. Client key exchange and generate the master secret
  3. Finished

Step 1 — Client Hello

The handshake starts with the Client Hello message from the browser. The message includes:

  • a 28-byte random number (Client Random), and
  • a list of cipher suites.

Step 2 — Server Hello

After receiving Client Hello, the server starts preparing Server Hello.

  • It saves the Client Random and puts it aside.
  • It generates another 28-byte random number (Server Random).
  • It picks a preferred cipher suite from the list. TLS recommends using ECDHE (Ephemeral Elliptic-curve Diffie–Hellman) as the key exchange algorithm. An example of suggested cipher suites is TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
  • It adds a server certificate to prove its identity.
  • Since ECDHE is selected, it puts key exchange algorithm params to the message. This is required for the next step.
  • A signature, encrypted by the server’s private key, is attached to the param list for additional identity verification.

Step 3 — Client key exchange and generate the master secret

  • Also, it verifies the signature in the key exchange algorithm params.
  • If all go well, the browser creates a public key and adds it to the key exchange algorithm params. It is mandatory for the next step.

Step 4 — Finished

TLS 1.3 Handshake

TLS 1.2 came out in 2008 and is getting old.

Extensions

To be compatible with the previous version, TLS 1.3 introduces the extensions. TLS 1.2 simply ignores them.

Handshake Protocol: Client Hello
Version: TLS 1.2 (0x0303)
Extension: supported_versions (len=11)
Supported Versions length: 10
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
Supported Version: TLS 1.1 (0x0302)
Supported Version: TLS 1.0 (0x0301)

Safer Communication

In the last decade, developers have noticed quite a few vulnerabilities in encryption algorithms. Some of them are deprecated in TLS 1.3, including:

  • RC4 and DES symmetric-key encryption algorithms and ECB and CBC modes
  • MD5, SHA1, and the SHA-224 digest algorithm
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_CCM_SHA256
  • TLS_AES_128_CCM_8_SHA256

Better Performance

Thanks to the shortened list of cipher suites, a browser can now put everything a server needs in one message with the extensions. We don’t need the step for Client Key Exchange anymore.

Handshake Protocol: Client Hello
Version: TLS 1.2 (0x0303)
Random: d06068b9b0a6a451949f02b55683dfcceecf95d49cbd4e9e273f8f3f453462ea
Cipher Suites (27 suites)
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302)
Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303)
...
Extension: supported_groups (len=12)
Supported Groups (5 groups)
Supported Group: x25519 (0x001d)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Extension: key_share (len=107)
Key Share extension
Client Key Share Length: 41
Key Share Entry: Group: x25519, Key Exchange length: 32
...
Extension: supported_versions (len=11)
Supported Versions length: 10
Supported Version: TLS 1.3 (0x0304)
Supported Version: TLS 1.2 (0x0303)
Supported Version: TLS 1.1 (0x0302)
Supported Version: TLS 1.0 (0x0301)
  • key_share is for the client's public key params.
  • signature_algorithms is for the signature algorithm.
Handshake Protocol: Server Hello
Version: TLS 1.2 (0x0303)
Random: b0a37492143def6d4959205dfe6fd620d93baa7ba89e1593e8cb60d6497537d4
...
Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301)
...
Extension: supported_versions (len=2)
Supported Version: TLS 1.3 (0x0304)
Extension: key_share (len=36)
Key Share extension
Key Share Entry: Group: x25519, Key Exchange length: 32
Group: x25519 (29)
Key Exchange: 105aaf79c1f424cdc9352723a4dea7db65568a229c091d3fd8a700da883bd15e
  • Key Share has the selected named curve and key exchange params.
  • Server Key Share
  • Client Random
  • Server Random
  • generates the same master secret, and
  • sends its Change Cipher Spec and Finished message.

Further Reading

a coder 👨‍💻

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store