Transport Layer Security (TLS) is an encryption protocol that is used for data transmission on the Internet. The protocol describes a general standard that can be implemented in specific environments. Transport Layer Security is one of the most widely used encryption protocols. In addition to transporting data between a browser and a web server, as is the case with HTTPS, TLS is also used for sending emails, FTP and VPN connections, as well as instant messaging and voice over IP. TLS is used primarily in areas where sensitive data is concerned, such as online banking, customer data storage, passwords, and digital communications. The goal is to ensure secure transmission of the data and to ensure the highest degree of integrity of the communication users.
The development of TLS went hand in hand with the development of the Internet. It was introduced in the mid-1990s along with the Netscape Browser, SSL 1.0. In 1999, SSL was then renamed to TLS 1.0 and further improved. In the course of time, various RFCs (request for comments) were proposed by the IETF as standards. Since January 2016, this has been the case for TLS 1.3, which is in the developmental phase. The current valid standard is TLS 1.2. It took 14 years to get from SSL to TLS 1.2, which is why TLS should be considered one of the safest network protocols ever.
TLS and the obsolete protocol SSL are often considered to be the same thing and incorrectly used synonymously. TLS has been created from SSL, but it is considered as an independent and, above all, more recent encryption protocol. Because TLS also includes authentication, key generation, newer encryption algorithms, as well as different cipher suites, it is often used for data transmission in networks nowadays. TLS is also relatively easy to use on protocols without security mechanisms. TLS is additionally extensible and backward compliant, so that both newer encryption algorithms and obsolete network protocols can be supported.
Every data transmission is handled by TLS schematically as communication between sender and receiver, for example, between client and server. The TLS protocol is used at a specific point in the information technology architecture, which is also referred to as the OSI model or the TCP/IP reference model. TLS operates in the transport layer, where data streams of digital communication are managed. This layer is part of the transport system, which is separated from the application layer and thus separated from the user. This means that users don’t have to worry about the characteristics of the system that is used for the data transmission, and can also use the system without network knowledge.
The transport layer allows for end-to-end encryption, whereby the application layer is always an implementation of the superior TLS standard protocol. HTTPS is, for example, an application of TLS. The same applies to POP3S, SMTPS and IMAPS, all of which enable secure email transmission. For other applications, such as chats, VPN connections or FTP data transfer, there are correspondingly adapted protocols that make TLS applicable in practice. TLS is a basic concept that can have many different applications or instances.
In general, TLS has three objectives, regardless of its practical use:
The transport layer security encryption protocol consists of two basic components, which each are intended to meet specific objectives. The first part relates to the actual transmission of data, the second part includes mechanisms for authenticating the communication users before a data transmission takes place. It is only when the client and server have mutually verified their trustworthiness that the first bits of data are transmitted in encrypted format over the transport layer.
The purpose of the TLS record protocol is a secure data transmission. This is achieved by encryption algorithms such as Advanced Encryption Standard (AES). A symmetric encryption is used to encode the data to be transmitted, as well as the key being exchanged between sender and receiver via a separate protocol. Each key is valid only for one connection and only the communication users who have the key can access that data.
To check whether data streams have been manipulated, a message authentication code (MAC) is sent. This code allows you to check through a cryptographic hash table that can only be interpreted by senders and recipients who have the key. In this way, they ensure that the data actually comes from a source that has the key and that it has not been subsequently manipulated or falsified.
Key exchange is a crucial issue of any encryption. Transport Layer Security solves this by using a kind of handshake between transmitter and receiver for the connection setup. This handshake regulates the key handover on the one hand. On the other hand, it is responsible for the authentication of the communication participants using asymmetric encryption methods and a public key infrastructure, which distributes and checks the certificates. Which keys are used is also negotiated via the handshake. The handshake protocol includes three other protocols that specify the keys used, issue error messages, and store application data:
As a hybrid encryption method, TLS has gained enormous importance in Internet security. TLS combines symmetric and asymmetric procedures as well as mechanisms for verifying the authenticity and integrity of data streams and messages. The concept is modular and different encryption options are combined. The Chipher Suite contains algorithms that meet the most modern encryption standards.
However, the modular structure of Transport Layer Security is at the same time a disadvantage if the procedures are not up-to-date. Flawed implementations are a common problem as well. Users can make mistakes when setting up the encryption protocols, if the infrastructure is complex (for example, virtual hosting, large sites with CDN systems, and service-oriented architectures). For such scenarios, however, collections of protocols and program libraries are offered, which have been adapted for the respective application areas. This is also sometimes referred to as Authenticated Encryption (AE).
Alternatively, it is also possible to use a server name indication if there are multiple encrypted sites on a server. A version of the Diffie-Hellmann algorithm can be used for the key handover to prevent the manipulation of data (Perfect Forward Security).