Explain the TLS handshake

Rinki Singh · 2026-02-09T17:09:42Z

1. Client Hello The client (your browser or app) starts the conversation. It sends: The TLS version it supports (e.g., TLS 1.3) A list of supported ciphers (AES, ChaCha20, etc.) A random number (used later for key generation) (TLS 1.3) Optional extensions like supported groups (DH or ECDH), SNI (server name) 2. Server Hello The server responds: Chooses the TLS version and cipher suite from the client’s list Sends its own random number (TLS 1.3) Picks a key exchange group (like Curve25519) 3. Server Certificate The server sends its digital certificate: Proves the server’s identity Contains its public key Signed by a trusted Certificate Authority (CA) Optional: Server may request the client’s certificate (for mutual authentication) 4. Key Exchange / Pre-Master Secret Here’s where the magic happens: the client and server agree on a shared secret. TLS 1.3 (ECDHE key exchange): Server sends its ECDHE public value. Client generates its ECDHE private/public pair, combines it with the server’s public value, and computes the shared secret. Both now have the same secret key, without sending it over the network. TLS 1.2 is similar but may use RSA key exchange, where the client encrypts the pre-master secret with the server’s public key. 5. Derive Session Keys Both sides use the shared secret plus the random numbers exchanged earlier to generate: Encryption keys (for confidentiality) MAC keys (for integrity/authentication) This ensures: The same keys on both sides Keys are unique for this session Even if someone intercepted the handshake, they cannot compute the keys 6. Client Finished The client sends a Finished message: Encrypted using the new session keys Includes a hash of all handshake messages so far 7. Server Finished The server responds with its Finished message, similarly encrypted. At this point: Both sides have verified each other Both sides are using the same session keys Handshake is complete 8. Secure Communication Begins All further messages are now encrypted and authenticated. This includes: HTTP requests/responses (HTTPS) API calls, emails, etc.

Networking & Security

Last Post by Rinki Singh 6 hours ago

1 Posts

1 Users

0 Reactions

10 Views

RSS

Rinki Singh

(@rinki)

Posts: 78

Trusted Member

Topic starter

1. Client Hello

The client (your browser or app) starts the conversation.
It sends:
- The TLS version it supports (e.g., TLS 1.3)
- A list of supported ciphers (AES, ChaCha20, etc.)
- A random number (used later for key generation)
- (TLS 1.3) Optional extensions like supported groups (DH or ECDH), SNI (server name)

2. Server Hello

The server responds:
- Chooses the TLS version and cipher suite from the client’s list
- Sends its own random number
- (TLS 1.3) Picks a key exchange group (like Curve25519)

3. Server Certificate

The server sends its digital certificate:
- Proves the server’s identity
- Contains its public key
- Signed by a trusted Certificate Authority (CA)
Optional: Server may request the client’s certificate (for mutual authentication)

4. Key Exchange / Pre-Master Secret

Here’s where the magic happens: the client and server agree on a shared secret.

TLS 1.3 (ECDHE key exchange):

Server sends its ECDHE public value.
Client generates its ECDHE private/public pair, combines it with the server’s public value, and computes the shared secret.
Both now have the same secret key, without sending it over the network.

TLS 1.2 is similar but may use RSA key exchange, where the client encrypts the pre-master secret with the server’s public key.

5. Derive Session Keys

Both sides use the shared secret plus the random numbers exchanged earlier to generate:
- Encryption keys (for confidentiality)
- MAC keys (for integrity/authentication)
This ensures:
- The same keys on both sides
- Keys are unique for this session
- Even if someone intercepted the handshake, they cannot compute the keys

6. Client Finished

The client sends a Finished message:
- Encrypted using the new session keys
- Includes a hash of all handshake messages so far

7. Server Finished

The server responds with its Finished message, similarly encrypted.
At this point:
- Both sides have verified each other
- Both sides are using the same session keys
- Handshake is complete

8. Secure Communication Begins

All further messages are now encrypted and authenticated.
This includes:
- HTTP requests/responses (HTTPS)
- API calls, emails, etc.

This topic was modified 6 hours ago by Rinki Singh

Posted : 09/02/2026 10:39 pm

Forum Jump:

Previous Topic

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed