The phrase transport layer security (TLS) describes a mechanism for securely communicating between two parties that might have no prior knowledge of each other. TLS is the successor to secure sockets layer (SSL), and the two terms are often used interchangeably, even though such usage might not technically be correct.
TLS provides security in the form of the following main components:
- Certificate trust is about reassuring a connection-initiating client that it is communicating with the server to which it intended to connect. To ensure that the server shares the same degree of confidence in the identity and legitimacy of the client, it can ask the client to present its own certificate chain. For more information, see XREF to earlier section about Certificate Trust.
Cipher selection involves choosing the cipher and the key to protect the bulk of the communication. Although a client can use a server certificate's public key to encrypt data before sending it, this approach can lead to the following issues:
- Unless the client presents its own certificate chain to the server, the server cannot encrypt the data that it sends back to the client.
- Public key encryption is considerably slower than symmetric encryption, in which the same key is used for both encryption and decryption. Public key encryption is also called asymmetric encryption because different keys are used to encrypt and decrypt data.
- If you rely entirely on the security of a private key to ensure the secrecy of a communication, and if the private key becomes compromised, data that has been encrypted with the private key must also be considered compromised.
Rather than rely solely on public key encryption to protect communication between a client and server, the TLS negotiation process allows a client and server to agree on the type of encryption and the secret key that they will use after completing the negotiation process.