The TLS Handshake is a 4 steps, fairly complex process. It takes place after the TCP Handshake and assumes TCP is being used at the Transport Layer.
Client Server ClientHello |\ | Protocol version | \ | Cipher Suites | \ | | \ | | \ | | \ | | \| ServerHello | /| Protocol version | / | Cipher Suites | / | Certificates | / | ServerHelloDone | / | | / | ClientKeyExchange |/ | (Pre-master secret) |\ | ChangeCipherSpec | \ | Finished | \ | | \ | | \ | | \ | | \| ChangeCipherSpec | | Finished | | | |
After the TCP
ACK, TLS Handshake sends a
ClientHellomessage. This message contains the maximum version of TLS protocol and Cipher Suites that the client is able to use.
ClientHelloand responds with a
ServerHellowhich sets the protocol version and Cipher Suites (amongst other things). It also sends its certificate (including its public key) and a
ServerHelloDoneto indicate the end of this step of the handshake.
Client receives the
ServerHelloDonemarker and initiates the key exchange process. It starts with a newly generated pre-master secret encrypted with the server’s public key which the client sends to the server using the
ClientKeyExchangemessage. Both then use this pre-master secret to generate the same symmetric key. The client finally sends a
Finishedflags to indicate it is ready to respectively starts communicating with the symmetric key and indicates the TLS Handshake is over.
- The server sends the two same message and flag to indicate acknowledgment.
After the four steps, the client and server can finally begin to communicate securely using the symmetric key.