If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Transport Layer Security (TLS)

AP.CSP:
CSN‑1 (EU)
,
CSN‑1.B (LO)
Computers send packets of data around the Internet. These packets are like letters in an envelope: an onlooker can easily read the data inside them. If that data is public information like a news article, that's not a big deal. But if that data is a password, credit card number, or confidential email, then it's risky to let just anyone see that data.
The Transport Layer Security (TLS) protocol adds a layer of security on top of the TCP/IP transport protocols. TLS uses both symmetric encryption and public key encryption for securely sending private data, and adds additional security features, such as authentication and message tampering detection.
TLS adds more steps to the process of sending data with TCP/IP, so it increases
latency
in Internet communications. However, the security benefits are often worth the extra latency.
(Note that TLS superseded an older protocol called SSL, so the terms TLS and SSL are often used interchangeably.)

From start to finish

Let's step through the process of securely sending data with TLS from one computer to another. We'll call the sending computer the client and the receiving computer the server.

TCP handshake

Since TLS is built on top of TCP/IP, the client must first complete the 3-way TCP handshake with the server.
Diagram of two computers with arrows between. Computer on right is a server labeled with the IP address for khanacademy.org. A single arrow goes from laptop to server with a box above it that contains "ClientHello, ProtocolVersion: TLS 1.3, CipherSuites: TLS_RSA_WITH_RC4_128_SHA".
  • Arrow goes from laptop to server with "SYN" label.
  • Arrow goes from server to laptop with "ACK SYN" label.
  • Arrow goes from laptop to server with "ACK" label.

TLS initiation

The client must notify the server that it desires a TLS connection instead of the standard insecure connection, so it sends along a message describing which TLS protocol version and encryption techniques it'd like to use.
Diagram of two computers with arrows between. Computer on the left is a laptop showing a login screen for khanacademy.org. Computer on right is a server labeled with the IP address for khanacademy.org. A single arrow goes from laptop to server with a box above it that contains "ClientHello, ProtocolVersion: TLS 1.3, CipherSuites: TLS_RSA_WITH_RC4_128_SHA".

Server confirmation of protocol

If the server doesn't support the client's requested technologies, it will abort the connection. That may happen if a modern client is trying to communicate with an older server.
As long as the server does support the requested TLS protocol version and other options, it will respond with a confirmation, plus a digital certificate that contains its public key.
Diagram of two computers with arrows between. Computer on the left is a laptop showing a login screen for khanacademy.org. Computer on right is a server labeled with the IP address for khanacademy.org. A single arrow goes from server to laptop with box above that says "ServerHello, ProtocolVersion: TLS 1.3, CipherSuite: TLS_RSA_WITH_RC4_128_SHA, Certificate, ServerHelloDone".

Certificate verification

The server's digital certificate is the server's way of saying "Yes, I really am who you think I am". If the client doesn't believe the certificate is legit, it will abort the connection, since it doesn't want to send private data to an imposter.
Otherwise, if the client can verify the certificate, it continues on to the next step.
Client verification diagram. A laptop has a thought bubble coming out from it that says "Certificate = khanacademy.org?".

Shared key generation

The client now knows the public key of the server, so it can theoretically use public key encryption to encrypt data that the server can then decrypt with its corresponding private key.
However, public key encryption takes much more time than symmetric encryption due to the more difficult arithmetic operations involved. When possible, computers prefer to use symmetric encryption to save time.
Fortunately, they can! The computers can first use public key encryption to privately generate a shared key, and then they can use symmetric encryption with that key in future messages.
The client starts off that process by sending a message to the server with a pre-master key, encrypted with the server's public key. The client computes the shared key based on that pre-master key (as that is more secure than sending along the actual shared key) and remembers the shared key locally.
The client also sends a "Finished" message whose contents are encrypted with the shared key.
Diagram of two computers with arrows between. Computer on the left is a laptop showing a login screen for khanacademy.org. Computer on right is a server labeled with the IP address for khanacademy.org. A single arrow goes from laptop to server with box above that says "ClientKeyExchange (PreMasterSecret: c3ac534fd919a0e92b966795e), ChangeCipherSpec, Finished (21c124d28a548559f0f8abd4b)".

Server confirmation of shared key

The server can now compute the shared key based on the pre-master key, and attempt to decrypt the "Finished" message with that key. If it fails, it aborts the connection.
As long as the server can successfully decrypt the client's message with the shared key, it sends along a confirmation and its own "Finished" message with encrypted contents.
Diagram of two computers with arrows between. Computer on the left is a laptop showing a login screen for khanacademy.org. Computer on right is a server labeled with the IP address for khanacademy.org. A single arrow goes from server to laptop with box above that says "ChangeCipherSpec, Finished (c49fe482d338760807c3c278f)".

Send secure data

Finally, the client securely sends the private data to the server, using symmetric encryption and the shared key.
Diagram of two computers with arrows between. Computer on the left is a laptop showing a login screen for khanacademy.org. Computer on right is a server labeled with the IP address for khanacademy.org. A single arrow goes from laptop to server with box above that has a string of encrypted data.
Oftentimes, the same client needs to send data to a server multiple times, like when a user fills out forms on multiple pages of a website. In that case, the computers can use an abbreviated process to establish the secure session.
Check your understanding
As you've seen, both computers must go through many steps to set up secure communication with TLS.
Complete the list of steps below:
  1. Client and server complete TCP handshake
  2. Client sends data encrypted with shared key

TLS everywhere

TLS is used for many forms of secure communication on the Internet, such as secure email sending and secure file upload. However, it's most well known for its use in secure website browsing (HTTPS).
TLS provides a secure layer on top of TCP/IP, thanks to its use of both public key and symmetric encryption, and is increasingly necessary to secure the private data flying across the Internet.

🙋🏽🙋🏻‍♀️🙋🏿‍♂️Do you have any questions about this topic? We'd love to answer—just ask in the questions area below!

Want to join the conversation?

  • starky tree style avatar for user ro11
    i dont understand the pre-master key and shared key, "first use public key encryption to privately generate a shared keys"

    then the next paragraph, "client computes the shared key based on that pre-master key"

    so the shared key comes from public key or pre-master key?
    and where does pre-master key come from?
    (6 votes)
    Default Khan Academy avatar avatar for user
    • blobby green style avatar for user Abhishek Shah
      The shared key for symmetric key encryption is computed from the pre-master key. The client generates the pre-master secret, has access to it, and encrypts it with the server's public key before sending it to the server.
      The server gets access to the pre-master key by decrypting the message. Now, since the server and client both have access to the pre-master secret, they both compute the same shared symmetric key for the next step.

      The below link has more detail if interested.

      Hope that helps!
      (6 votes)
  • blobby green style avatar for user Sienna Hsu
    What's the use of the server sending its own "Finished" message with contents encrypted with the shared key? Is it to let the client know that the server understands the encryption technique?
    (2 votes)
    Default Khan Academy avatar avatar for user
  • purple pi teal style avatar for user Yogesh Sheoran
    Please make a video explanation on this article.
    (3 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user Martha Dutton
    Who has access to the key?
    (2 votes)
    Default Khan Academy avatar avatar for user
  • blobby green style avatar for user mcenturffa2027
    Did Justin Jacob Hunt win at castleberry?
    (0 votes)
    Default Khan Academy avatar avatar for user
  • male robot hal style avatar for user Minh Khoi Le
    So the process as I understand is
    1. The server creates a public and private keys and send the public key to the client.
    2. The client creates a pre-master key and encrypted it using the public key.
    3. The client creates a shared key and encrypted using the pre-master key.
    4. The client sends both the encrypted pre-master key and shared key to the server.
    5. Now the server uses the private key to decrypt and get the pre-master key and then uses the pre-master key to decrypt and get the shared key.
    6. The server and client communicate with each other using shared key.
    Is my understanding correct?
    If so then after step 5 the private key, public key and pre-master key are pretty much useless right? Because the client and server use the shared key and don't need the other keys anymore.
    (0 votes)
    Default Khan Academy avatar avatar for user
    • blobby green style avatar for user urbanbodypiercing4real
      Wrong, the transmission starts with the client, always. Because in this reference whoever initiates the connection is the client as stated. Also I’m not sure that servers support the function of being able to just reach out to your ip w/o being commanded to by a person, as that would be considered AI, very advanced AI more along the lines of a BOT that has been taught to comb through a list of IP addresses (you) and initiate a communication, therefore now making it the client to whichever server it finds itself needing to communicate with and (here is where we initiate the process we discussed above).
      (1 vote)