TLS describes a mechanism for securely communicating between two parties that might have no prior knowledge of each other.
TLS is the successor to SSL, and the two terms are often used interchangeably, even though such usage might not technically be correct.
SSL remains the more widely recognized term. The abbreviation TLS occasionally generates confusion with the StartTLS extended operation, particularly in LDAP.
TLS provides security in the form of the following main components:
- Certificate trust
- Is about reassuring a connection-initiating client that it is communicating with the server to which it intended to connect. To ensure that the server shares the same degree of confidence in the identity and legitimacy of the client, it can ask the client to present its own certificate chain. For more information, see Certificate Trust.
- Cipher selection
- Involves choosing the cipher and the key to protect the bulk of the
communication. Although a client can use a server certificate's public key to
encrypt data before sending it, this approach can lead to the following
issues:
- Unless the client presents its own certificate chain to the server, the server cannot encrypt the data that it sends back to the client.
- Public key encryption is considerably slower than symmetric encryption, in which the same key is used for both encryption and decryption. Public key encryption is also called asymmetric encryption because different keys are used to encrypt and decrypt data.
- If you rely entirely on the security of a private key to ensure the secrecy of a communication, and if the private key becomes compromised, data that has been encrypted with the private key must also be considered compromised.
Rather than relying solely on public key encryption to protect communication between a client and server, the TLS negotiation process allows a client and server to agree on the type of encryption and the secret key to use after completing the negotiation process.