Entity Authentication – TLS Cryptography In-Depth

Handshake protocol – Transport Layer Security at a Glance

6.6.1 Handshake protocol

As in the earlier versions, the TLS handshake protocol allows Alice and Bob to agree on shared secret keys and corresponding symmetric cipher algorithms for establishing a secure channel. It supports three types of key exchange:

• Establishment of shared secret keys using the Diffie-Hellman key agreement protocol over finite fields, referred to as DHE in the TLS protocol specification, or elliptic curves, referred to as ECDHE. The last letter E in the acronyms stands for ephemeral, meaning that the public-key parameters are dynamically generated for each new session. TLS version 1.3 does not support the use of static, that is, long-term, public keys for key exchange.
• Use of a pre-shared symmetric key (PSK) that was previously distributed out of band, that is, not over the communication channel, that is to be protected using TLS, or established in a previous TLS session between Alice and Bob.
• Use of a pre-shared secret key in combination with DHE or ECDHE. In this case, the PSK is used to authenticate the DHE or ECDHE public keys.

The TLS handshake is performed when the client and the server communicate for the first time. In the remainder of this book, Alice will play the role of the server and Bob will play the role of the client. We also follow the notation of TLS messages and extensions used in RFC 8446 to make it easier for the reader to consult RFC 8446 for details alongside this book.

Using the handshake protocol, the client Bob and the server Alice agree upon the protocol version and the specific cryptographic algorithms to be used, perform a unilateral (the server proves its identity to the client) or mutual (both the server and the client prove their identity to each other) authentication, and exchange shared secret keys.

After a successful execution of the handshake, Alice and Bob can transmit data over a secure channel that guarantees confidentiality, integrity, and authenticity. If the handshake fails, Alive and Bob terminate their connection.

The TLS 1.3 handshake protocol consists of three phases. In the key exchange phase, Alice and Bob establish the shared keys and agree upon the cryptographic algorithms and primitives they are going to use for their TLS session. Bob, the client, sends the ClientHello message containing a random nonce, the versions of the TLS protocol that Bob supports, a list of symmetric ciphers and KDFs that Bob is able to compute, and either Diffie-Hellman key shares, PSK labels, or both. Optionally, Bob can send further information using additional TLS extensions, but we will not go into the details here.

Next, in the server parameters phase, additional handshake settings such as whether client authentication is performed are agreed upon. Alice, the server, processes Bob’s ClientHello message to identify suitable cryptographic settings for the TLS session and responds with the corresponding ServerHello message.

The TLS 1.3 handshake protocol consists of three phases.

1. In the key exchange phase, Alice and Bob establish the shared keys and agree upon the cryptographic algorithms and primitives they are going to use for their TLS session. Bob, the client, sends the ClientHello message containing a random nonce, the versions of the TLS protocol that Bob supports, a list of symmetric ciphers and KDFs that Bob is able to compute, and either Diffie-Hellman key shares, PSK labels, or both. Optionally, Bob can send further information using additional TLS extensions, but we will not go into the details here.
2. Next, in the server parameters phase, additional handshake settings such as whether client authentication is performed are agreed upon. Alice, the server, processes Bob’s ClientHello message to identify suitable cryptographic settings for the TLS session and responds with the corresponding ServerHello message.